This Crowdtilt will fund a focussed crowdsourced security assessment (otherwise
known as a bug bounty) on OpenSSL.
...
Security crowdsourcing company Bugcrowd will organize a “sprint bounty;”
coordinating and incentivising the security research community to thoroughly
test OpenSSL for potential security concerns.
I'm a little worried this is just PR move for Bugcrowd, but it might be genuinely useful in producing a bunch of bug reports for holes not discovered yet.
(Having said that, if you're a blackhat the amount you'd get selling or using anything you found would eclipse whatever Bugcrowd would pay you... But that'd happen regardless if this ran or not.)
You're right re the payout amount for blackhats, but it only takes one whitehat to claim a reward for a bug to get killed, and the idea of a sprint is to get a bunch of them focussed on the same target at the same time. We've been running sprints alongside the more traditional ongoing bug bounties since we started, and they're very effective.
Hopefully we will get enough individuals and companies backing this to make the rewards attractive to the right kinds of researchers.
(Having said that, if you're a blackhat the amount you'd get selling or using anything you found would eclipse whatever Bugcrowd would pay you... But that'd happen regardless if this ran or not.)