LOOL @ Dunn
Once again, Mr. Dunn hasn't done a lot of forward thinking and proper research.
If all of this is true, (about bounties and poor development practices) then why do most software vendors have occasional security updates?
Probably a majority of bugs are reported back to a vendor from customers who conduct tests (including penetration tests) before completely committing to purchasing their product. Most large corporations now, either have penetration testers (or contract this out) to evaluate the application's security.
Usually, a penetration test is outlined in the agreement between vendor and customer. Companies can no longer get away with saying you can't pen test their product before purchasing it.
It's not unusual to find security vulnerabilities. When we do, it's usually taken care of quickly and without fuss from the vendor. Also, customers don't demand money for doing the pen test, since it's part of their due care/due diligence. However, it's not uncommon for a customer to point out the vulnerability and then not release all of the details. I mean, we aren't paid by them to pen test their software. :) ...so the vendor is forced to figure a lot out on their own; which they typically do well, once it's pointed out.
So, to say a software vendor isn't doing a good job securing their application because they don't offer bug bounties, or have a program for the general gray hats to make money on--doesn't mean they aren't focused on security, or that their software development methodology is poor.
Because of all this, why would a company offer a large bug bounty if they have a product which is being used by many? Consider just how many ridiculous claims and false findings you'd have to deal with from this type of program. Many companies who do have bug bounties aren't really doing it for security... they are doing it as a marketing stunt. It's good publicity, usually gets another story or two published... and nobody knows they don't really do much with the program after a couple of months and the marketing boost from it begins to wear down.
...speaking with one Dutch company about bug bounties (who doesn't even have a bug bounty program of their own), isn't exactly proper research. LOL