Cash is always going to be the best, but it has its edge cases. If your service is a vendor at my company, and I discover a security bug and I fix it while working, because I have a very good incentive to do so, chances are I can't legally receive the cash bounty for it due to the anti-bribery and conflict of interest clauses in my contract, or I need to run this past Compliance first. Then comes the question of what is the relationship of the people doing the bug bounties? Are they random open source developers? Do they work at companies that use our product? Are they full time security researchers as individuals who spend their time fixing other people's stuff as a full time gig? Do they work at one of the security research companies? If they're an employee of the security research company, do they get the cash prize, or does the company? Is that stipulated in their contract? Is that stipulated in your bug bounty agreement / terms? If I was an out of work person who happened to find a security bug and disclosed it responsibly, apart from the cash prize, the other super valuable thing I would appreciate is a job offer. Clearly I have the skills to do the job, I have already demonstrated it, I care enough about the product / company that I went through the process of responsibly disclosing it, you already know I can abide by NDAs and stuff. The only hurdle left is the legality of employing me due to geopolitical and tax reasons.