Vulnerabilities will always sell for more on the black market because there’s an added cost for asking people to do immoral and likely illegal things. Comparing the two is meaningless.
To give a straightforward answer: no, I don’t think $20k is underpaid. The severity of a bug isn't based on how it could theoretically affect people but on how it actually does. There's no evidence this is even in the wild, and based on the description, it seems complicated to exploit for attacks.
No, it's priced on demand and supply like anything else; bug bounties are priced to be the amount that Google thinks it takes to incentivise hunters to sell it to them, vs. to black hats.
The more interesting question would be, if the bug bounty is enough to keep legitimate researchers engaged to investigate and document the threats. But..
The bug bounty itself is only a drop in the bucket for security companies, as it's a, unsteady and b, not enough to cover even trivial research environment cost.
Pratcially it's a nice monetary and reputation bonus (for having the name associated with the detection) in addition to the regular bussiness of providing baseline security intelligence, solutions and services to enterprises, which is what earns the regular paycheck.
Living from quests and bonties is more the realm of fantasy.
From a speech perspective, if I discovered an exploit and wrote a paper explaining it, what law prevents me from selling that research?
https://www.law.cornell.edu/uscode/text/18/1029 gives the definition and penalties for committing fraud and/or unauthorized access, and it includes the development of such tools.
A lot of it includes the phrasing "with intent to defraud" so it may depend on whether the court can show you knew your highest bidder was going to use it in this way.
(apologies for citing US-centric law, I figured it was most relevant to the current discussion but things may vary by jurisdiction, though probably not by much)