[bink]

I've been on both sides of bug bounties for many years. In truth, no one is offering a comparable bounty to what you can get selling exploits to a reseller. The closest would be Apple or Google with their million dollar bounties for cell phone exploits, but even that is likely underpaying.

The real value of bug bounties is for less sensitive products that aren't really big targets for nation states. Startups with products that haven't seen wide deployment in sensitive industries, for example.

There are many people who are perfectly happy getting "rep" and lower payouts for finding flaws in even the highly targeted applications, thankfully.