I mean, there is a mix here, some genuine notes about how high bounties can cause coordinated breaches to farm income but also notes about how bounties shouldn't replace pen testing (I agree, but have both and don't, as a pen tester, just argue that more money should go to pen testing, it's way too self-serving) and a weird comment that having a low bounty and then overpaying for a return of privileged data if the compromise could expose that data is a bad idea because it encourages bad actors - if the bounty is 3k and the data is worth 30 mil then yea, bad actors will emerge because you're criminally underpaying for exploits.

Honestly, a lot of the reasons I'm seeing for lowering the payout of bounties seems to revolve around "It's too expensive"

More reasons https://twitter.com/k8em0/status/1078798252151992320 Almost any amount of money allocated to bug bounties would be more efficiently spent developing in-house talent.

Which serves the argument that instead of rewarding people for sharing vulnerabilities we should be punishing companies for having them. Harshly. The more data points a company tracks the faster the fine should approach 100% entire company market cap. Their subsidiaries, parent company's, board, and executives should also not be immune but rather personally liable for egregious cases of not knowing, failing to, or cutting corners around documented best practices, security patching, hardware rotation etc. The entire industry needs to be reworked to put security and make All pii hazardous.

Sadly software is going the way of construction. Things Will only change when tptb get inordinately effected.