The purpose of a bug bounty is to incentivize researchers to target specific pieces of software so that vendors can benefit from that attention.
If you're a 10 you will disclose responsibly regardless of a bounty, and if you're a 1 you will disclose to the highest bidder. The rest will weight profit, ethics, and risk in some ratio depending on where they fall on the scale and decide to act based on that calculation.
The company has to price their bounty on a few factors: how much they can afford to pay, how much a bug is worth to them (eg damage to their reputation, fines in the event of a vulnerability), and how important it is and to have researchers looking at their product instead of another product.
I agree with you that companies should not be required to pay people to prevent them from launching criminal conspiracies. But this is not a perfect world and people are not so black and white in their actions and motivations. There is no point trying to optimize your bounty program for the 1's or the 10's. Therefore, when optimizing for the rest it makes sense to pay as much as possible within the constraints I mentioned (in the previous paragraph) in order to tip the scales in your favor for the largest part of the spectrum possible. Right now the tech community knows about this problem with LastPass. If this exploit had made it to the wild things would've been much worse for them from a PR perspective.
I am hoping that the $1000 cap on the bounty program came from careful consideration of these factors, but my gut tells me it was a number handed down from management.
Your rationale would be a valid rebuttal in your world no matter what the amounts in question were. $500? Incentive! $50? Incentive!
As we can see from avlidienbrunn2's response [1] sometimes it's not about the money. It's just fulfilling a natural curiosity about a product, maybe getting your killer write-up of a shocking bug to hit the top of the HN frontpage, etc. So in this case perhaps the bounty program is as much about establishing a legal structure for a whitehat to operate under than to fairly compensate ad hoc pen-testers. I wish they paid 10x or more for this bug. But I'm glad at least pen-testers can report these bugs without [as much] fear of reprisal.
Personally I lost a lot of confidence in them when they got acquired and switched to 1Password, paying very low bounties for critical security flaws further hurts my confidence in them.
From my vantage point, the logical conclusion to the comment you just wrote is that companies should avoid offering bug bounties. They just attract negative attention.
(I won't use LastPass, and have recommended 1Password --- but Tavis Ormandy is looking at 1Password right now, and I'm guessing they're going to end up disappointing HN too.)
So the end effect is more bugs found by "white hats" rather than "black hats" because the bounty has focused the "white hat" efforts on your program. (Or encouraged them to look at all.)
I'm likely to poke around a site with a bug bounty even with small sums just because it hints at a more formal process and also likely means they have a sensible policy about not going after testers.
Bug bounties are as much about signalling than encouraging "black hats" to suddenly turn to the light side.
