Vulnerabilities will always sell for more on the black market because there’s an added cost for asking people to do immoral and likely illegal things. Comparing the two is meaningless.
To give a straightforward answer: no, I don’t think $20k is underpaid. The severity of a bug isn't based on how it could theoretically affect people but on how it actually does. There's no evidence this is even in the wild, and based on the description, it seems complicated to exploit for attacks.
No, it's priced on demand and supply like anything else; bug bounties are priced to be the amount that Google thinks it takes to incentivise hunters to sell it to them, vs. to black hats.
Your principles will be gone by the time the 10th company starts to sue you for a public disclosure you did in good faith.
There's a reason why nobody wants to use their real name and creates new aliases for every single CVE and report.
Principles are discrepancies with the law, they don't exist. If the law dictates a different principle than your own one, guess what, you'll be the one that is in jail.
Whistleblower protection laws are a bad joke, and politicians have no (financial) incentives to change that.