The usual way to evaluate this is to consider the chance of being discovered (D) times the chance of being used as an exploit (E) times the cost of the exploit (C) with an appropriate discount factor (F). Think of the discount as the wholesale price of the exploit, what a mal actor might pay for the exploit.
For example, if there was a 1% chance of discovery, and a 50% chance of the person discovering it using it as an exploit, and it cost them 1 day of revenue ($50m) and they used a discount factor of 10%, that would indicate that the bounty would be worth about C * D * E * F = $25k.
If it's likely that the exploit would only last 5 hours, then $10k is a reasonable bounty.
That itself is pretty vague to determine as a hack could have an impact on reputation and the impact might not be limited to just one day. Future users might be afraid to use the product, current users might leave in few weeks.
For example, if there was a 1% chance of discovery, and a 50% chance of the person discovering it using it as an exploit, and it cost them 1 day of revenue ($50m) and they used a discount factor of 10%, that would indicate that the bounty would be worth about C * D * E * F = $25k.
If it's likely that the exploit would only last 5 hours, then $10k is a reasonable bounty.