I think it's tricky to assess. There's a lot of support for the idea of high black-market prices for drive-by clientside remote code execution. Those vulnerabilities have a long half-life (because of the latency of patching) and maximal value to attackers (collect zombies, snarf payment card information, &c). Neither is true of website vulnerabilities.
For a vulnerability that can be instantly eradicated, everywhere, as soon as the target finds out it exists? There might not be much of a market at all.
I think if you market this as a way into any private account, think celebrities, politicians, etc. You could catch quite a price if you wait for the right buyer.
Think about what shady gossip newspapers pay paparazzi for breaking laws to get intimate pictures. In the right hands this exploit could be worth tons.
If you say so. I'm sure somebody will buy anything. But the idea that there's an easily-tapped market for Facebook vulnerabilities, similar to the one for browser vulnerabilities? Like I said, I don't know. But I'm skeptical.
Not really a "if you say so" case. There's been many celebrity photo sales exceeding $100K. Selling the fruits of the hack could easily net someone a lot of money, especially if they rarely used it and thus went undetected.
But that assumes the hacker is going to be his own fence. An arms dealer doesn't sell a gun on the basis of "yeah but if you jack 10 nice cars you'll make over $25K, so the gun is at least worth $4K".
Nonetheless, it just _feels_ that $4500 is a small amount, coming from such a large company. What is the downside of FB offering a higher reward, like, say, $20K? Or would the same argument apply, $20K is nothing compared to the millions tabloids would pay for a photo?
It's not a small amount relative to bounties from other big sites. These bounties are not representative of what companies like Facebook and Google spend on software security; they're thanking people who would be doing this kind of inspection anyways.
It's also not the case that this vulnerability == celebrity photos.
How would you sell the exploit? Your buyer would want to verify it works before buying, but then you've already given it away. It's not like you could enforce a contract on this.
You don't sell the exploit, you sell the hack. You could sell someone private access to all facebook data of one person. Proving you have the ability is easy, you can just show one image that is supposed to be private, and promise the rest.
For a vulnerability that can be instantly eradicated, everywhere, as soon as the target finds out it exists? There might not be much of a market at all.
(I don't know).