In this case the second $3000 bounty was due to a 2x promotion at the time. The guideline for a critical is $3000, but Cloudflare does occasionally award bonuses for severe vulnerabilities (e.g. https://hackerone.com/reports/1478633).
6k seems to be a really low payout given the potential impact (particularly with respect to personal data), the work needed to discover such vulnerabilities, the revenue of cloudflare and the potential money that could be made by a blackhead. Or am I naive?
It was also comprised of two separate $3,000 rewards. Maybe they treated it as two vulnerabilities?