Oh I'd keep the check stub and photocopy it onto my resume (just kidding).
Considering exploits are supposed to be hard to find (why they're large bounties), it's just the incentive/hush money to pay the hacker, because you have to consider a few things...
1) why and how did you find the exploit (were you trying to hack someones account, stumble upon it [that's lucky], are you a security firm [meaning you have success in this before], were you black hat contracted, ect).
2) a hacker would prefer the recognition [possible employment], the reward [sandwiches aren't free], and release of liability [a company may still file charges for probing their systems 'weev,' is an example]
I can think of very few vulnerability testers that have gained employment at the companies where they find the exploits. Comex is one I can think of off the top of my head (created the jailbreak for iphones, landed an internship at Apple, then career Google).
The biggest reason I see for the payouts is simple:
That exploit has a value on the 'black market'. If it comes down to "no money" or "$20k", people are going to be looking at the "something" instead of "nothing", no matter what the laws say.
The bug bounties don't always have to be a lot - most people will want to do the right/safe thing anyway. They just have to offer some incentive (we've all seen some success with even $800 bug bounties) to keep the honest people honest.
On the contrary, we're in the position to do an incomparable disservice to the world. Companies buy exploits simply to buy the hacker's silence, and governments buy exploits to bolster their offensive military capabilities -- when we sell to them we're complicit with the damage they do.
Personally I'm of the opinion that the only responsible disclosure is full and anonymous disclosure.
Considering exploits are supposed to be hard to find (why they're large bounties), it's just the incentive/hush money to pay the hacker, because you have to consider a few things...
1) why and how did you find the exploit (were you trying to hack someones account, stumble upon it [that's lucky], are you a security firm [meaning you have success in this before], were you black hat contracted, ect).
2) a hacker would prefer the recognition [possible employment], the reward [sandwiches aren't free], and release of liability [a company may still file charges for probing their systems 'weev,' is an example]
I can think of very few vulnerability testers that have gained employment at the companies where they find the exploits. Comex is one I can think of off the top of my head (created the jailbreak for iphones, landed an internship at Apple, then career Google).