These arguments always remind me of people claiming that certain professions are not paid enough. They forget that there is a market for labor and in this case the labor is finding vulnerabilities. People will either be willing to work for the posted price or not. In the case of pen testing facebook I'd be willing to bet there are plenty of people out there looking for bugs who aren't even really concerned with what the final payout is going to be.
Yeah, they could have gotten completely owned if he didn't report this. But to him reporting it and getting 10k in compensation was sufficient. Why would facebook pay him a million if he was willing to take 10k?
Clearly the bounty was not enough for the mystery attacker / researcher / hacker / whatever that Orange discovered exploiting the same hole.
Seems more likely that Facebook wasn't thrilled that Orange included the details of an existing, unknown Facebook compromise in his write-up.
I would imagine that the latter of the two is almost always willing to pay more. I would also imagine that by the time you're a skilled pentester, you're in your mid-to-late thirties and maybe are worried about how you're going to put your kids through college, or how you're going to retire.
So what do you do? Do you take the larger sum of cash and plague yourself with worrying about bitcoins, how you're going to lie on your taxes, and deal with the ethics of helping shady organizations?
Or do you help the company? Now you don't have to lie on your taxes or launder bitcoin, but you do have the pressure to find more security problems to make enough cash to meet your financial needs.
And the ball is solely in the court of the companies running bounty programs-- if they were to always provide more money than the black market, there's virtually no reason to bring it to someone else.
I don't think it's unreasonable for them to not want to give away more than they have to, but I get the sense that there's little to no negotiating power for the vulnerability finder-- and they should probably work on that.
The reason is that for a vulnerability to be worth money, someone needs to have a business process ready to go to monetize the vulnerability. Without that proven process, a vulnerability is just like any "Show HN" without a business model or revenue.
There are certain kinds of vulnerabilities --- browser code execution, most notable, but a couple others --- that organized criminals have whole businesses set to drop in and run and make money with. If you have one of those vulnerabilities, you've got lots of takers for it, and the prices for those vulns are nosebleed high.
There are a few kinds of organizations that will pay for a Facebook serverside RCE. Good luck finding them. Or, I should say, not finding them. Those same organizations will kill you and your whole family just to make a point. That is, after all, the only reason they want to buy Facebook serverside RCEs.
The argument these comments are making is that this report should qualify in some way for a higher payout.
I'm not arguing for either side here, just noting that the comments that you refer to are fairly reasonable.
You forget that no assertion of values makes sense when divorced of context.
A little more seriously, somehow we have to find language for different types of coercion. Otherwise we'll end up lumping the whole complicated world into one lump.