Bug bounty programs are a nice adjunct to what should be done internally. It is an unfortunate situation that no matter how good your people, processes, etc. are bugs will get out. Thus the last line is the bounty hunters. What I would be more concerned about are the organizations that use bounty hunters as their first line.