[dmazzoni]

If it really was a way to get cheap labor, more companies would be doing it.

As it is now, only the largest tech companies with the strongest security records are actually running good bug bounty programs. They have excellent, well-paid security teams and they put systems in place to incentivize all of their employees to write secure code. But, they know that (1) mistakes can still happen, (2) clever vulnerabilities can be discovered that get around code that was previously thought to be following all best practices, and finally they understand very well that (3) if they don't pay, others will.

Unfortunately it's the companies that need it most - like AT&T and Experian - that have the worst track record with rewarding third-party security researchers.