Relevant Study: https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true

This study focuses on data from HackerOne’s bug bounty program. The study found that most
people who participate in this program or other bug bounty programs are largely unmotivated
by the money that they can earn from finding bugs. Also, bug bounty programs are still useful
to companies even if they aren’t able to pay a lot of money for people that find bugs in their
software. A company’s size also doesn’t affect the number of valid reports that they get.
However, companies in retail, finance, and healthcare sectors receive less reports than other
companies. As bug bounty programs become older, they receive less reports and bugs become
harder to find, however this affect can be lessened if the programs increase the amount of code
that is available to test.