A bug bounty program is economically beneficial to a firm when the firm has low in-house efficiency in finding a vulnerability
*or*
when the firm faces a high proportion of coopetitive hackers (bug reporters who would otherwise pose a security risk by misusing vulnerability information).
Paper: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3940307