The vulnerability is actually a Xen issue and is mitigated on QubesOS as long as you use HVMs or PVHs. If I understood correctly PVHs are like HVMs but without Qemu to reduce attack surface.
Can’t find a bounty programm there. As Xen is used in deployed in date centers worldwide I assume that the zerodayinitiative would reward noteable findings.
For such a small distro I believe the QubesOS team is doing a tremendous job. Another team I admire is Google’s Project Zero.
Especially after Project Zero got the “Lamest Vendor Response pwnie award 2022” which totally discredited “Black Hat”.