Real security processors never give big bounties because when bugs are discovered all the buyers immediately cancel their orders of the 'faulty' secure chips.
really big bounties would then be appropriate, as they would come with NDAs. Small bounties would just encourage others to make them public / sell them to more malicious actors.
What if multiple people discover the same vulnerability. What do you do?
Do you pay out to all of them? Do you make them sign an NDA without guaranteeing you'll pay them? Do you tell the 2nd etc discoverers to go away and hope they don't reveal it?
If you pay out to all of them, there's a strong incentive to leak info and collect multiple bounties for the same vulnerability.