I don’t know whether it is a hard policy for google security researchers, but they seem to favour official bug bounty programmes. Patreon may not be an option for them.
Anyway, the reward of $10,000 is not the motivation here, and is probably half a months salary for him, at best.