But people do expect and demand them - these days anyway. Such is the hoopla around this issue that any company not offering bounty is pointed at and sternly looked at until said company relents and starts a payout plan.
There have been too many examples of bug hunters ignored or taken advantage of to avoid this situation today.
I note with interest that LinkedIn seems to have found a way to retain the talent and avoid the chaff. I wonder if other companies will take note and copy the method - if they aren't already more or less doing the same thing.