>Mostly the best market is intelligence agency vendors.

That makes me wonder - may be the original bug was really a backdoor created as a result of a deal with an intelligence agency/vendor. So, can it be that Google gets money (or more generally some kind of browny points; also interesting aspect - giving that the agencies may exploit individual engineers, it would seem to be more preferable for the company to play ball and have it organized under the company's control) for a backdoor, and once backdoor is found - pays the bug bounty. The bug bounty is thus a kind of backdoor quality control program :)