I don't think you understand what this program is about. This isn't a bug bounty. Instead, they're doing for open source what Microsoft did with the Blue Hat Prize: they're paying people for defensive technology, of the kind that many developers on HN could design without knowing much of anything about modern exploitation technology.
NOBODY is bidding for that kind of work. Google is the only company paying for it.
It would still be plenty great if Google provided its bug bounty for libpng or libjpeg. Oh, wait, they do: their own code depends on these libraries, which is why they picked them.
I agree that it is nice of google to offer to reward defensive reinforcement of some of the open source software they rely on. But I contend that this effort is unlikely to produce meaningful results that stand any chance at all of countering the R&D happening on the red teams.
On an equally motivated and skilled playing field, you would be correct. The bugs that will be exploited by meaningful adversaries will not be stopped by this effort. Latent exploitable bugs in most of the targeted mature software require significant, well-targeted compute to uncover. Google's incentives are insufficient to direct adequate resources toward the goal of making the internet a safe place for civilians.
NOBODY is bidding for that kind of work. Google is the only company paying for it.
It would still be plenty great if Google provided its bug bounty for libpng or libjpeg. Oh, wait, they do: their own code depends on these libraries, which is why they picked them.