Maybe because it increases the security significantly. Say a large government pays top $ for an exploit. Chances are pretty good that the vast majority of the black hats on the planet will not have it.
Additionally publicity generates incentive to fix the problem. More apps/OSs/libraries will try harder to be secure. Apps could start wearing high exploit bounties as badges of honor.
Much like how ransomware likely has increased security more and changed user behavior than an infinite amount of suggested security training. Some users even gasp ask about how to protect against ransomware and as a side benefit actually protect against mistakes, dying disks, and other flavors of malware at the same time.
Seems better to trot this kind of stuff out in the open than to hide your head in the sand and try to hide security problems from the public.
But why incentivize the weakening of secure systems? I honestly don't think that black hat hackers would find much utility in cracking an app like Signal (except maybe for street cred). Relatively few of it's users would be "soft targets" in terms of susceptibility to phishing, social engineering, weak passwords, lack of 2FA, etc.
Governments on the other hand would pay lots of money to increase their mass surveillance capabilities. Signal users are disproportionately young, sophisticated, and politically engaged.
Given that Signal's budget is raised from donations and grants, and is much more fixed than an open market to undermine it, how would such a market incentivize them to increase funding on security? It's already their top priority.
That's what first-party bug bounty programs do now.
The extra thing that a free market does is incentivises people to find weaknesses and sell them so that they can be maliciously exploited. When vulnerabilities are exploited instead of patched, secure systems are by definition weaker.
Additionally publicity generates incentive to fix the problem. More apps/OSs/libraries will try harder to be secure. Apps could start wearing high exploit bounties as badges of honor.
Much like how ransomware likely has increased security more and changed user behavior than an infinite amount of suggested security training. Some users even gasp ask about how to protect against ransomware and as a side benefit actually protect against mistakes, dying disks, and other flavors of malware at the same time.
Seems better to trot this kind of stuff out in the open than to hide your head in the sand and try to hide security problems from the public.