As a policy bug bounty programs offered by companies act as a crowdsourced form of cybersecurity. It is something that will have efficacy no matter the size of the company or organization. Although the amount of valid reports will obviously vary, which may be influenced by the company; larger companies viewed as socially bankrupt might need to offer larger bounties and sift through more false reports. Furthermore, companies and organizations might need to update their bounties as vulnerabilities are fixed due to a smaller pool of people able to find said vulnerabilities. Overall as a policy it works as an effective tool to discover overlooked aspects by your own cybersecurity team.