You might have seen that already before when we had some discussion about the FOSSA project, but as I was just commenting a policy paper which was mentioning bug bounties, I thought it is a good to remind you about this write-up by the Apache Software Foundation:
Chapter "Bug Bounties - a Panacea?" in https://blogs.apache.org/foundation/entry/free_and_open_source_security
Would be interested what people here think about that.
Best Regards, Matthias