The Internet Bug Bounty that Facebook and Microsoft are sponsoring applies to OpenSSL: https://hackerone.com/ibb

The prize pool could use to be a damned sight larger though. Heartbleed only qualified for a $15,000 payout: a figure ten times larger would still look a bit stingy for such a serious bug.

I'm certain that certain agencies would value exclusive knowledge of this bug at millions, rather than thousands.

Certain ... private enterprises, as well. It's very unlikely that bug bounty prizes can be made to match the kind of money you might be able to get elsewhere for a big bug; but they don't really have to.

This - something like this is not only a great idea but incentive for more developers to spot some easy fixes & promote the OpenSSL brand as well.

And cheap if no one finds anything.

I'm sure that can be crowdsourced

Yup, we're just waiting on someone to do it. It wouldn't have to be OpenSSL (or even FB or MS, the existing IBB sponsors): it could be done by anyone with enough public credibility to be trusted not to run away with the money, and the time and skills to jump through the tax/charity/crowdfunding hoops.

Another nice thing is you can see what the money goes on. "Where does out €5,000 donation go?" "We'll find and fix bugs in software you use."

Bug: OpenSSL implementation. All of it.