The amount paid depends on multiple variables:
- How widespread is the software/hardware? Popular products typically reach higher amounts.
- The scope of the bug(s) (affected products, criticality, attack vector, required configuration, user interaction, limitations, etc)
- The quality of the exploit (reliability, bypassed exploit mitigations, covered versions/systems/platforms, process continuation, no hardcoded offsets or ROP, etc).
For example, if you find an unauthenticated remote code execution (RCE) vulnerability, you would be paid substantially more than for a privilege escalation (LPE/EoP) vulnerability.
