Is it just me or are these bounties really low. Unless I'm misunderstanding identification bypass could be incredibly damaging for the company and their customers, but it's only got a $3000 reward?
In my personal opinion you want to balance bounties against how much money that the person could receive using the exploits, vs the amount of trouble they could potentially get into.
You overestimate the value of these bugs to the black market. There is no shortage of hacked PayPal accounts for sale on the various dark net markets because the hard part is getting money off the accounts. PayPal will flag a transfer for a dozen different reasons. If you don't login to the hacked account from an IP close to the location of its owner; if you immediately attempt to transfer money off the account to a bank account; etc.
That's kinda hard to evaluate not having actually do it. That said, such a bug, if works as expected might be much more highly priced in the black market.
In my personal opinion you want to balance bounties against how much money that the person could receive using the exploits, vs the amount of trouble they could potentially get into.