I agree with you bug bounty programs for small companies/products aren't competing with the black market, but big ones like Apple, Uber, and Facebook certainly are. I was really only referring to these large folks. I agree that an XSS bug on AcmeBizSoftCo doesn't have much of a black market.
To take your FB Ad Manager example...just recently there was bug that allowed people to start campaigns for free (by somehow charging the bill to unrelated accounts). A bug like that has a small half-life but if it lets someone use up a million dollars in targetted ads over one weekend for free I would think you could still get quite a bit for it on a black market.
To take your FB Ad Manager example...just recently there was bug that allowed people to start campaigns for free (by somehow charging the bill to unrelated accounts). A bug like that has a small half-life but if it lets someone use up a million dollars in targetted ads over one weekend for free I would think you could still get quite a bit for it on a black market.