The prize pool could use to be a damned sight larger though. Heartbleed only qualified for a $15,000 payout: a figure ten times larger would still look a bit stingy for such a serious bug.

I'm certain that certain agencies would value exclusive knowledge of this bug at millions, rather than thousands.

Certain ... private enterprises, as well. It's very unlikely that bug bounty prizes can be made to match the kind of money you might be able to get elsewhere for a big bug; but they don't really have to.