As the case with the most recent bug on PayPal one has to ask themselves whether this was a bug found and diligently disclosed to PayPal only, or was it first used by the criminal element and then when it was used up disclosed to PayPal to receive the bounty?
I suppose PayPal could have the data somewhere to support either way, or maybe they don't?
I'm not arguing against bug bounties, I've been converted...but I have to wonder whether they are being abused...or maybe it doesn't matter as long as the vendor gets the heads up they likely wouldn't gerry otherwise? The money isn't massive sums, certainly arguable that it's cheaper than hiring many more security professionals on staff...and likely more effective, but... I'm still left wondering.
Bug bounties are great but, how much are they giving companies a heads up? Do wr even care for the small fees we pay out?