So most public companies don't even run bug bounties. The ones that do may or may not acknowledge your disclosure, and they decide what your vulnerabilities are worth regardless of any scales they might post on a blog. So in a best case scenario, you get maybe 10-100k for a world ending RCE + escalation but most of the time you get no response or <1k. On the gray market, though, something like that will easily sell for over 100k, sometimes several million. Generally it's frowned upon in academic circles, but there are a handful of large brokers like zerodium who are happy to pay out for interesting bugs.