The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.
Bounties should not only be higher than what you can get on the black market. They should be high enough to make security experts spend their time trying to win them. Given probability of finding a bug with such impact, it is just not worth the time of any decent white hat (in terms of financial gain, sure it's nice to brag about it and that I believe is the biggest motivation).
Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
>> The point is, it's possible that if he was a black hat, he could have gotten much more for it on the black market. Even if it could only be used once or a few times.
This is precisely my point. No, he couldn't have. I outlined why in the comment you responded to.
>> Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.
Leaving aside the fact that it obviously doesn't literally make "zero difference," should companies decide to pay more for things simply because they can afford to?
Bounties should not only be higher than what you can get on the black market. They should be high enough to make security experts spend their time trying to win them. Given probability of finding a bug with such impact, it is just not worth the time of any decent white hat (in terms of financial gain, sure it's nice to brag about it and that I believe is the biggest motivation).
Money wise, for Facebook, it makes zero difference if they pay him that much or 5 times more.