Comment by jovial_cavalier

The bounty is not a market. It's a subsidized incentive to subvert the market, and to give greyhat hackers a reason to be white-tinged instead of black-tinged. I would conservatively guess this guy could have found at least 30 people willing to pay $500 for details on this exploit, and he would've netted $5000 more than Google paid him to do the right thing.

Probably the risk of going to jail outweighs the extra $5k, but if a company is serious about the bug bounty program, they would offer a reward that's competitive with what you could extract from the black market, and I don't think that's hard to do.