I've reported bugs to google VRP and got paid. The main problem with this report is that the victim has to click a suspicious link which is similar to phishing through email. No bounty programs award bounty for phishing.
This is not to say this isn't a bug. The author has to find a way to escalate the impact. If they are able to achieve the same impact without user interaction the impact will be high enough for bounty.
What suspicious link? The person is in their AI-powered page that google provides with pre-cooked suggested prompts. If the user clicks one of those and triggers the security explait, is that what you are calling suspicious? I don't.