Well the parent seemed to miss the point -- the real calculus is cost to the company if the exploit were to be used effectively, monetary benefit to the person who finds the bug, and the recognition you'd get in the blackhat community.
Yes the payout calc by company is cost to the company of an exploit, but with a repeated game scenario.
i.e. you can't look at the bug and payment in a vacuum, you have to factor in future bugs.
So the cost is the value to the company for the exploited bug if used properly plus the expected value of future bugs.
Which is weird, right? This shows companies can be internally incentivized to reduce bug bounty payments to show 'they are improving' when in fact, developers are leaving their bug bounty program.
