Auditing/public research and bug bounties are not really the same category.

Famously, telegram has a bounty program- but was widely criticised for it, and for not doing a formal audit.

Criticisms here: https://news.ycombinator.com/item?id=6940665

I don’t doubt that they have more independent security analysis than just the bounty program; but using it as an argument that they’re paying people is not realistic.

Bug bounties are very different than auditing. In an audit, there is a contract in place with specific analysis objectives based on agreed-upon criteria. I find it unlikely anyone in the industry would have more experience than Intel about CPU manufacturing, although there might be security consulting firms that are advanced enough to merit a real corporate NDA. But given the breadth and depth of their IP, even that seems unlikely.

But I would still really be interested to know who Intel hires to audit their products, if this is true. I'd like to do that kind of work.