Oh yeah, I'm just trying to determine a number that would makes sense. Another angle to look at is what black market would pay for whatever level of access. Might need official bounty to be a good fraction of that or equivalent to get more of the 0-days from black market. There's also balancing the cost of straight-up, security staff vs the bugs others are finding. Maybe just pay good consulting to people with experience that you rotate in and out to find stuff others overlook with bounties paid based on effort and significance.

Many possibilities. This was worth way more than $10,000, though, given it detected a subversion. I'd have applied the consultant to a few other areas of my operation given the aptitude.