I agree that you don't want to create a protection racket market, and that's what I was thinking when I said "being alerted to their own security mess-ups".
Your own staff and vendors are creating security vulnerabilities, and you wisely run a bounty program, to detect and alert you. And you only pay when they find a problem. It can be very economical hedge against both mistakes and systemic dysfunction.
Also, if the researchers were criminally-inclined, they could make more money selling vulnerabilities to someone, not alerting you.
Your own staff and vendors are creating security vulnerabilities, and you wisely run a bounty program, to detect and alert you. And you only pay when they find a problem. It can be very economical hedge against both mistakes and systemic dysfunction.
Also, if the researchers were criminally-inclined, they could make more money selling vulnerabilities to someone, not alerting you.