Honest question: Do bug bounties with such low bounties really do more good than harm?
A bug bounty incentivizes people to look for bugs. But when you find an interesting bug like this you have the option of either having the possibility of making millions from the social engineering possibilities alone, or claiming the bug bounty and get $10k. Of course claiming the bounty is the moral thing to do, but some people with both the skill and motivation to do bug bounties are bound to have lower moral standards.
It's a good question, but I think the answer is no [err, re-reading your question I mean yes... thought it asked whether they did more harm than good]. Consider that you have a population of developers. Some of them are willing to break the law and cause highly probable harm (if only monetary) to someone else. Some are not. Those who are willing are motivated exactly as much whether there is a bug bounty program or not. Those who are not willing are motivated some amount (whether small or large, it is nonzero) by the existence of a bug bounty program to have a look and to turn over the information rather than sell or use it.
So, on the balance, you are increasing motivation for people who are not willing to harm for cash while leaving the motivation of the willing unchanged. I would be tempted to argue that it is flat out unwise to NOT run a bug bounty program, although it would be much smarter to offer larger bounties. I could make an argument for bounties exceeding the projected amount the vulnerability would be worth on the black market, I think, but that's a different subject.
I think it's hard to monetize most bug bounty bugs.
There isn't really a market for most XSS, CSRF or even RCEs bugs for web properties. Getting the bounty payout for a bug from the owner is often the best deal available. I think the only exception to the no-market situation is browser RCEs and smart phone OS jailbreaks.
Right, and this one could have easily been monetized because it allows attackers to intercept and read any one of SendGrid's customer's private internal emails!
I don't agree that this could have been easily monetized.
This vulnerability only allows you to intercept future incoming emails that are delivered to sendgrid domains. Even if it did allow access to all of their customers internal emails there aren't many buyers (and no obvious marketplaces) out there for that kind of access.
The risk is simply too high, if you're Lyft (for example) being caught with that access (even if it was never used) would be a possible terminal event for the company. Purchasers would be buying a giant liability and a small competitive advantage.
Maybe there are shady companies or criminal groups who would be interested in the access but even then I feel $10k would be roughly how much money they'd be willing to spend (considering the same amount of money could also buy thousands of verified credit cards or a million email addresses at legitimate providers).
Corporate clients aren't the ones purchasing black market exploits, the marketplaces aren't obvious. Just confirmed with a friend who does not have ties (disclaimer) that this one would be worth ~100k.
Maybe things have changed in recent years but here's some information on what I considered benchmark prices when I was more involved in this kind of thing. I have some background in vulnerability selling and I used to do this for a living (first government, then later tech company bug bounty programs).
The "grey market" prices I've seen (~5 years ago now) from independent researchers, small firms specializing in vulndev for law enforcement / intelligence and the bigger famous security firms go something like this ("black market" criminal markets are similar I hear but I have no first hand knowledge there):
250k would get you a iOS jailbreak (for a recent iOS version)
100k would get you an IE/Firefox/Chrome zero day (though not with a sanbox escape, you'd have to pay separately for a privesc)
~25k for a Linux privesc
For an RCEs in medium popularity services (databases, ftp servers, etc) you'd be looking at something like 10k (or often thrown in free with a bigger purchase or support contract as a good will gesture).
The prices would also change based on the quality of the exploit, how recent the version the exploit targeted was, the amount of exclusivity you want (more for full exclusivity) and whether the research was specially commissioned (if you had asked a firm to look into a specific piece of software the price would be higher). The larger providers also encouraged organizations to sign subscription deals and longer term service contracts that could include free exploits or reduced costs.
That said, there's a lot of information asymmetry in the market so I'd expect a lot of variance in prices.
A bug bounty incentivizes people to look for bugs. But when you find an interesting bug like this you have the option of either having the possibility of making millions from the social engineering possibilities alone, or claiming the bug bounty and get $10k. Of course claiming the bounty is the moral thing to do, but some people with both the skill and motivation to do bug bounties are bound to have lower moral standards.