Well, yes. If you're not willing to lose 100% of your investment to any security hole that may be discovered anywhere in the entire stack of software running on any machine from which you access your crypto account, you shouldn't invest in crypto.
Arguably, bug bounties are always paid for by users. A vendor might write the bounty-winner’s check, but the source of the vendor’s funds is the vendor’s customers.