As a security researcher, I would like that.. since theymos made them pretty high :x ;)
It's important to realize bitcointalk uses XAU, which means currently it ranges between 0.255 and 25.5 BTC depending on severity. I have to be honest that this is pretty big and smaller rewards seems fair to me too (especially since bitcoin.com is just starting and therefore the impact of a security bug would be realistically smaller.)
To give some other examples of bug bounty programs..
High: $1,600+ (would be the levels: Root, Arbitrary DB writing, Obtaining arbitrary PMs or password hashes on btctalk)
Medium: $400 (would be Persistent script injection and some CSRF/non-persistent XSS probably)
Low: $100 (lower impact, realistically barely/no "damage")
High: $1,000+ (do note they always say "+", if you find something to steal all their bitcoins obviously they will reward much more)
So I don't think it has to be as specific as bitcointalk (although I do appreciate that transparency from theymos - if you report a bug you know in advance exactly how much it will be) and probably more like the 3 other examples. Still in the background you would probably rate the severity somewhat like bitcointalk (since it's also a forum with same security priorities like keeping password-hashes and PMs safe.)
Either way just stating you have a bug bounty at all, ranging from $x to $x for real security vulnerabilities will be a start :) (with some contact info, and potentially some "rules"/"out-of-scope" like all examples have.) Normally the security researcher who reports it, should tell you why it is an important bug to fix too. And then you can probably discuss the real severity/impact with your developers to come up with a bounty for it. (Only important that your developers realize that although most bugs take seconds/minutes to fix, rewards should not be based on that but on severity/impact.)
Ps, I will just start searching through the phpBB source now since you seem to be interested in at least giving some reward and I enjoy searching stuff like this :) If I do happen to find something.. should I contact you, rogerver?