""The UK government, she said, is not going to start a bug bounty program""
I'm pretty sure that at one point they were looking at it. I received an email (at least a year ago) invitation to join a pilot scheme that NCSC were looking at running. Reading between the lines, it sounded exactly like a bug bounty scheme. I don't believe that anything ever came of it, presumably because they were asking security companies that already did government work to effectively work for free.
Biting the hand that feeds IT
