This is an excellent point, but there's a good answer to it.
The purpose of a bug bounty is not to encourage a particular individual to report an issue rather than sell it. The purpose is to encourage more people to get into the business of finding and reporting bugs before the people who are in the business of selling bugs to criminals find them and sell them. If, in the process, some black hat researcher also decides to report some particular bug rather than facilitate a crime, so much the better - but you can't rely on that, and you shouldn't design a bug bounty program around it.
In other words, you're not competing with the black market. Instead, you're paying to improve your security, and accordingly, you want to get the most bang for your buck. Finding previously-unknown entry points is high-value. Finding internal pivots is extremely low-value because they are ubiquitous, and your infrastructure is already designed around the assumption that they are ubiquitous.
Which isn't to say that you aren't interested in finding the internal vulnerabilities and eliminating them. You are. Which is why you conduct penetration tests. But pen tests are big deals, with rules of engagement around them. You deliberately give the testers elevated internal access so they can test under the assumption that there may be an entry point you don't know about. You establish ongoing communication between the testers and the clients, especially at any potential pivot or escalation point prior to proceeding. You don't run a pen test by opening it up to anyone who wants to give it a whack and hoping that they'll tell you about it afterwards (i.e. a bug bounty program). That's an insanely high-risk, low-value way to discover your internal vulnerabilities.
The purpose of a bug bounty is not to encourage a particular individual to report an issue rather than sell it. The purpose is to encourage more people to get into the business of finding and reporting bugs before the people who are in the business of selling bugs to criminals find them and sell them. If, in the process, some black hat researcher also decides to report some particular bug rather than facilitate a crime, so much the better - but you can't rely on that, and you shouldn't design a bug bounty program around it.
In other words, you're not competing with the black market. Instead, you're paying to improve your security, and accordingly, you want to get the most bang for your buck. Finding previously-unknown entry points is high-value. Finding internal pivots is extremely low-value because they are ubiquitous, and your infrastructure is already designed around the assumption that they are ubiquitous.
Which isn't to say that you aren't interested in finding the internal vulnerabilities and eliminating them. You are. Which is why you conduct penetration tests. But pen tests are big deals, with rules of engagement around them. You deliberately give the testers elevated internal access so they can test under the assumption that there may be an entry point you don't know about. You establish ongoing communication between the testers and the clients, especially at any potential pivot or escalation point prior to proceeding. You don't run a pen test by opening it up to anyone who wants to give it a whack and hoping that they'll tell you about it afterwards (i.e. a bug bounty program). That's an insanely high-risk, low-value way to discover your internal vulnerabilities.