Not sure why you're downvoted, but the $3M/year total rewards payoff is likely smaller than the corporate administrative and developer time (for review) costs. I.e. if this was a charity it would pay out less than 50 cents on the dollar.
I downvoted because "cybersec researchers" do not in fact routinely make 7 figures. For strong pentester types reporting the typical (real) vulnerability the VRP handles, the median is probably in the low 6's.
It's a combination of the lower value of the median bug bounty submission (we hear about the high-ticket vulnerabilities, but most of them are pretty low-test) and the fact that huge numbers of bounty participants are abroad. I know there are people who claim to make high-6's and even low-7's from bounties, but they're very rare. I think most people who participate in bounties would be best off financially by using them to build a portfolio they can exploit to pivot into consulting or full-time work of some other sort.
Payouts for security-positive improvements to security-critical OSS projects:
* $20,000 for setting up continuous fuzzing with OSS-Fuzz
* $10,000 for high-impact improvements that prevent major classes of vulnerabilities
but the low end of the scale is kind of neat too:
* "$1,337 for submissions of modest complexity, or for ones that offer fairly speculative gains."
* "$500 our "one-liner special" for smaller improvements that still have a merit from the security standpoint."
... and you can qualify for these even if your day job is working on one of these OSS projects!
> Q: I'm a core developer working on one of the in-scope projects. Do my own patches qualify?
> A: They most certainly do.
Neat stuff.
(Googler here, but I don't work on the VRP.)