A vulnerability that affects a particular website is significantly less valuable than one that affects many websites.

Companies like Google and Facebook actually overpay for vulnerabilities because 1) they're flush with cash and can, 2) it's excellent for goodwill in the industry, 3) it's an excellent recruiting tool and 4) it augments an already strong internal security program.

If you hypothetically tried to go to the black market with this vulnerability you wouldn't even find a buyer. When Facebook patches this, it's useless, and you'd have to derive more than whatever you paid for. At this point it's a betting game - do you think you can earn back $100,000 using this exploit before Facebook catches wind of it?

Conversely, vulnerabilities that are very highly valued tend to affect large numbers of websites in a format that is not easily patched. For example, many websites don't update WordPress often, which means that a vulnerability in WordPress is going to instantly get a CVE and a widespread push for awareness. Even so, it will be actionable for years.