It’s $20k for all the vulns found in the sweep, not just that one.

And last security audit I paid for (on a smaller codebase than OpenBSD) was substantially more than $20k, so it’s cheaper than the going price for this quality of audit.