If we choose to value everything we touch by way of "the next highest bidder might have paid $X for this" while fully ignoring their intentions (and so allowing black market sales to be in scope for the implied auction), I think you won't actually enjoy the society you end up with :(. Like, as a security researcher yourself, it might feel interesting to posit the exact addition of value we protect per incident, but I think the ramifications on how other work gets valued as well as what adverse side effects result from this mental model are scary.

It is thereby really only "required" (for the world to function) that there is sufficient monetary motivation for people who don't want to spend the rest of their life feeling either the guilt or stress (even if merely due to the ramifications of people finding out) of having done something "wrong" (which I put in quotes as I feel the "code is law" argument that can result at this point isn't actually that useful in a discussion of morality) to bother to then go out of their way to help (as opposed to not searching hard in the first place, looking the other way instead of reporting, or merely hoarding the bug as a parlor trick).

And so like, while I totally see how this bug could easily be worth at least tens of millions of dollars to someone, it isn't clear to me that finding and reporting this bug should imply that I would need to be paid (and "by who?" is a then a hard question to answer even if we think this, one which might bleed into "and how?" a bit as the first answer is probably awkwardly decentralized in scope) the tens (or even hundreds) of millions of dollars that that hypothetical black hat might have figured out how to extract (which I make a bit theoretical as profiting from crypto hacks is harder than people often assume, something I touch on in my article; I think you might have to go for extortion, and even that didn't work for the Wormhole hacker)... most people simply aren't of the moral constitution to be black hats (which is probably a good thing).

(In this case, the main lingering ethics question related to this bounty that I come back to occasionally is that there are projects--such as Metis--that forked Optimism and now compete with it using Optimism's own code and vision... projects that (in the case of Metis) are actually of similar size to it (based on "total value locked", which is imprecise but probably the best measure here for potential impact: Defi Llama lists Optimism at $344M and Metis at $347M) which are still relying on Optimism to motivate the security efforts for their platform... it feels at least awkward to me that they should get a "free pass" here simply because their listed bounties were lower than Optimism's? Like, even if you don't think I should get money from them, maybe they should be helping compensate Optimism?)