Statement of the obvious
The easy / fast to find bugs are way more likely to be found than the hard to discover bugs, zero surprise there.
It's all just PR puffery saying our company will find some currently missed bugs.
Bug bounty fatigue means that bounty hunters are only picking up the easy-to-find flaws while leaving more difficult-to-tease-out vulnerabilities undiscovered, according to a security testing organization. High-Tech Bridge said its mix of automated scanning and manual inspection is unearthing problems at organizations that …
People who are motivated by the money will get more by selling exploits to criminals.
Bounty programmes have four functions: show recognition for the work involved; potentially improve any automated systems; act as cheap and effective recruitment programmes; PR to the rest of the world showing that they care about security.
It's almost as though QA and security are things that should be paid jobs within a company rather than simply outsourced to hobbyists. Sure, you can get some benefit from asking nicely for people to tell you about issues they've found and showing appreciation when they do so, but it should be obvious that that can only ever be in addition to trying to do it properly yourself as well.
Yes, I actually burned out on bug bounties... I did it as a hobby for about 2-3 years and got into the top 10 at bugcrowd, but my day job was pentesting, and then the bounties would sometimes start at odd hours, and you knew if you were coming late to the party your chances of finding bugs diminished. The few times I got big payouts (exceeding 4K$) was when I was at the starting block with everyone else.
Then of course, it's also frustrating hunting for 6 hours and finding nothing... when if you pentest, you get paid regardless of whether you find bugs or not!