> The purpose of reward schemes is to reward white hats, not to compete with the bad guys for the black hat discoveries.
How many other industries are there where individuals with valuable skills routinely volunteer to help multi-billion dollar corporations despite no guarantee of reward?
These people are doing work that typically warrants a six-figure salary or several hundred dollars per hour, and they're doing it almost entirely because it's the right thing to do. And Facebook should reward them well enough that they'll continue doing it, not only because it's good for the security of Facebook and its users but because it's the right thing to do.
I don't know how much Facebook has given to the other 65 people who disclosed exploits this year, but it will be innocent users who suffer most if they all share Yvo's sentiment.
He spent a day finding the exploit, and got $4500. That scales quite well if he can keep it up.
At the point the exploits are harder to find, Facebook can make a decision as to whether it's important to keep searching as hard, and raise or lower the price as they see fit. This is the market in action.
He might have made more on the black market, but why it would be worth more is important. On the black market, the transaction comes with legal risk. Risk increases payout (by reducing supply).