My experience tallies with this, used to work for a hosting company and we got plenty of emails from guys in India, Pakistan etc who had 'run burp suite against X and found Y'. We had no bounty program as we were fairly small fry so we said thanks and fixed the bug. You can't compete against the volume. And the big payouts take a lot of time and skill to find and exploit.