It absolutely doesn't follow that it was enough. Someone might report it to facebook rather than sell it on the market out of principle regardless of the bounty, while still thinking that the bounty is way too low relative to the severity of the issue. (What's more, the size of the bounty might be revealed only after it's been reported.)

However, I'm unsurprised to find such reasoning on HN.

Actually, if the goal of a bounty program is to get reports instead of wild exploits, the only metric of success is getting the reports. In the case that someone would have reported it for reasons other than the bounty, the bounty is not only too much, but completely wasted.

How can you say it's completely wasted? This guy just blogged about getting $$$ from facebook, and it hit the front page of HN. It might inspire others to also report vulnerabilities. And conversely, if he was looking for bounties and didn't get any there would instead be a front page HN story about facebook not paying bounties.

That only holds if those bug hunters who read this consider the payout fair. Otherwise, they may decide not to spend time hunting on Facebook or may decide not to report bugs found in favour of the black market.

> What's more, the size of the bounty might be revealed only after it's been reported.

There's more than enough information on what Facebook tends to give out on various types of vulns. I wouldn't be surprised if there's a website out there that aggregates this sort of information. Even if you don't know precisely what you'll get, you'll at least have a rough idea.

> However, I'm unsurprised to find such reasoning on HN.

Honestly, as someone who is decidedly not a capitalist usually: either the bounty is a token "thank you", or it's a capitalist-minded attempt to get people to report vulns rather than ignore them or sell them on the market. In the former case, the amount doesn't really matter so long as it's not insulting, and in the latter, my argument that if it gets people providing vulns, it's enough, applies.

It's specifically not "payment", because payment-for-services requires that services were actually and specifically requested. It's a reward or a "thank you", and should be thought of as such - perhaps similarly to a reward for finding a lost kitten.

Parent's talking about the amount to achieve a goal, you're talking about what's fair. The two are valid, they just shouldn't be mixed up. The problem with the latter, of course, is that there's no objective measure, but you certainly can't assume the receiver is necessarily reasonable in his assessment.