Bug bounty programs are often set up to get people to work for free, or for minimal pay relative to the effort and skill.
But there is a down-side for a company that tries this approach. They.will likely attract people motivated solely by money. When a security vulnerability is discovered, the calculation will be "will I make more money by exploiting, selling or reporting this?" Only the minor, low-value bugs will be reported through a bounty program.