The distribution probably has a relatively small amount of people reporting a disproportionately large amount of the bugs.

This is very true. It's been a reality for a long time that the most successful (measured in $x rewarded) bug hunters sometimes have hundreds or even thousands of bugs submitted per year.

This way, they can capitalise on the fact that smaller security issues are much easier to find, especially if the bug hunter has expertise in the underlying framework.