It pays to be paranoid. I believe I'd be able to add exploitable bugs that would not be detected in most code reviews; there's a large library of techniques available from underhanded C competitions and similar.
If malicious people can add exploitable bugs and claim a bug bounty later, then they can also add exploitable bugs to actually exploit them. So I'd say that bug bounties also work here: they create an incentive to review the code of open-source projects more closely.
After a look at some of the bugs linked at http://www.underhanded-c.org/_page_id_2.html, they are very niche and difficult to exploit in any meaningful way. Not only that, but even a mediocre test suite would find something fishy with most.
