[aspir]

Someone on the black market will almost always pay more than a company. The real value in responsible disclosure is typically from a consulting contract that may follow the report. Their leaderboard list also seems like a good way to build credibility in the community as well.

[flyinglizard]

I think an ideal balance point (for all companies, not just GH) is one where someone can make a very comfortable living finding and reporting security flaws. You simply don't do that with $100-$5k bounties. GitHub, more than nearly every company out there, is entrusted with trade secrets that are the livelihood of their customers. Paying top money to get security bugs found is not an option, but something that should be regarded as a "cost of doing business".