I think paying only $1000 for a potentially company-imploding bug like that is incredibly short sighted.
It's far too low to motivate a lot of people to look for bugs, and to me suggests they're not serious about protecting their reputation if someone does find such a company-destroying bug.
HN has weird beliefs about the company-imploding properties of all sorts of bugs, from this to CSRFs that let you delete photos from Facebook. After all, a competitor could use it to erase all the photos on Facebook and then take over the market!
That was an actual argument on a thread about Facebook underpaying bounties.
To be fair, this bug is pretty nasty because it allows anyone to get all your stored passwords. That's like the core business of LastPass. LastPass leaking your login credentials for e.g. online banking is really not comparable to deleting Facebook photos.
How does paying extra money address the underlying concern that LastPass has absolutely trivial regex bugs that entirely defeat the security of the product? I agree that the bug is terrible, but the bounty and the impact of the bug to the company are largely orthogonal, unless the bounty includes a confidentiality term.
