When the money for selling info
.... greatly exceeds the bug bounty, some of the testers might be looking at the bounty programs as a way to avoid detection. If people are being invited to test something, it eliminates the first alarm bell. All they might need to do is register with some false information and do their work from a node that isn't tied to them. One has to hope that the entity hosting the event is using a shadow system with dummy information.
It's like the gun buyback program that was paying enough money that one guy found it profitable to 3D print guns and turn them in for the "reward" until they got wise. The beauty was that he didn't have to test that the 3D printed gun would actually work and not endanger the person firing it.