The authors of this article, supported by HackerOne, a platform for bug bounty programs, provide empirical evidence supporting the assertion that these programs are a cost-effective means for companies to improve their security posture. Their research found that hackers are motivated by the challenge these companies pose to their skill sets rather than financial gain. It also found that programs receive fewer valid reports as they grow older. The median program receives four valid reports per month. However, programs in the 75th percentile for age receive 2.56 fewer reports per month than those in the 25th percentile of program age.
Source:
https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=trueLinks