As for the good people vs. bad people argument, it should be noted that the good people have a harder job than the bad people. For the bad people to do their job, they only have to find one exploit, whereas the good people have to find most/all of them to have made the system secure. That's why employing people to work on security matters (whether through a bug bounty program or through direct employment), a company that values security shouldn't rely on unpaid volunteers alone.
As for the good people vs. bad people argument, it should be noted that the good people have a harder job than the bad people. For the bad people to do their job, they only have to find one exploit, whereas the good people have to find most/all of them to have made the system secure. That's why employing people to work on security matters (whether through a bug bounty program or through direct employment), a company that values security shouldn't rely on unpaid volunteers alone.