Good to see a bug bounty that isn't going to attract loads of wannabes to submit contrived nonsense reports in the hope of getting paid.
But this too could have unintended effects. If someone claims the full monty, who has been pwned? The sysop who perhaps misconfigured the software? Canonical @ubuntu? Upstream packager @debian? Or the software's original dev team? Or all of the above? Lots of scope for uncertainty there, and that's without even mentioning third-party Usual Suspects like PHP in a web server.