[dzmien]

Wouldn't a true white hat hacker report the bug no matter what the bounty? Therefor, the bounty is in place to encourage black-hat hackers to report the bug instead of trying to profit from exploiting it. But I do agree that it is in a security company's best interest to offer high dollar sums for reporting crucial bugs. I am just arguing semantics :-)

[throwawayReply]

It isn't a choice between "bother to submit or not", it's a case of a white-hat might be encouraged to look into this product rather than another product because of the bounty.

So the end effect is more bugs found by "white hats" rather than "black hats" because the bounty has focused the "white hat" efforts on your program. (Or encouraged them to look at all.)

I'm likely to poke around a site with a bug bounty even with small sums just because it hints at a more formal process and also likely means they have a sensible policy about not going after testers.

Bug bounties are as much about signalling than encouraging "black hats" to suddenly turn to the light side.