While better than nothing, I'd argue a bug bounty is perhaps the opposite of what's truly needed - incentivising the finding of vulnerabilities is good, but it needs people to fix those.
Alas, this is what happens when tech policy is written by people without tech experience, I suspect.
Alas, this is what happens when tech policy is written by people without tech experience, I suspect.