Seems to me like this is the wrong approach. Essentially, they’re saying they they have no idea how much they can pay per bug.
A sensible approach would be to insure bug bounties, at least up to the amount that a black hat could profit from compromising the system.
I'm guessing the 150'000 means they'll stop paying for new bugs once they've reached that amount.
Source:  -> Q&A regarding the public intrusion test -> Is the federal government allowed to pay for hacker attacks?