Nice, but these bug bounty programs must be one of the cheapest possible ways to "outsource" QA work. Paying a few thousand dollars for a critical security hole? That's extremely cheap compared to a regular QA department.
I'm of course not saying that it replaces the QA department, but even if they hire only 1 person less because of these programs it's already financially worth it for them.
I'd say the biggest impact is that it encourages a behavior that a lot of people people tend to show anyways: If we find a bug, most of us are inclined to report it, not abuse it. I'd assume that a lot of people tend not to report bugs when they have the feeling that it only costs them time for no benefit. Now, with a bug bounty you're shifting the equation towards the desired outcome: Taking an hour of your time to write a bug report can actually pay off for you, even if only one in five bugs get the minimum reward. Granted, you could sell a critical exploit for much more money, but most humans are intrinsically biased to do "the right thing" and by rewarding people for doing the right thing and making that reward public, you're reinforcing that bias.
It's still a cheap way to get bug reports, but I don't think it's about replacing QA. It's about creating a climate where bugs missed by QA have an increased likelyhood to end up on your desk since no QA could ever find all bugs.
I'm a tester so maybe I notice bugs more than others and I do find a lot when trying to use sites just to do my day to day business. I would report them if sites made it easy to do so but in most cases it's really hard just to find a contact email to report the problem to
Are bug bounty programs really all that much less work? My impression is that the offer of money tends to attract a ton of hard-to-decipher half-baked submissions, and someone's got to dig through them all to separate the wheat from the chaff.
(I mean, I used to work on a product that was used exclusively by engineers, and some of the bug reports I got were nearly impossible to decipher. Open that to the general public, on a product used by bored teenagers who like to prank each other, and offer money on top of it, and it seems like hell on earth.)
Counter-argument: The offer of money incentivises the reporter to be clearer and more thorough in their report because they want to get paid and not have their report thrown out by a moderator who can't understand it.
I agree with this - yet BB programs are still very successful. Why? Because not everyone who knows about websec has a job in the field.
The second thing is, $500 as a minimum reward may seem small in 1st world countries, but in the rest it is close to the average monthly pay.
I'm of course not saying that it replaces the QA department, but even if they hire only 1 person less because of these programs it's already financially worth it for them.