Depends on the cost/benefit. 3x security engineers to detect/respond vulns and attacks is less expensive but gets similar coverage plus a lot of other work capacity, for instance.
Unless a successful attack actually occurs, in which case it's literally almost priceless in terms of their reputational damage, unless they can get their hands on it before someone else.
Although PWMs would get a reputation hit from a breach, there isn't any precedent yet for a high-trust software being breached publicly and what happens to their reputation.
But, if you ask around enough with security teams at the large cloud providers, there are definitely rumors of APT-level activity being detected/blocked at the infra level. Yet, cloud is still the most secure option out there vs. on-prem in 90% of the use cases for it so to speak. Similarly, there is just too much precedent of high trust firms being breached, and nothing really happening to them as a result (fines, loss of users, etc).
So, you allocate $1mil, possibly spend it, and either way can't use it for anything else, or you allocate a fixed cost of $600k/yr and get a lot more out of it on the security front, to include solid defense-in-depth, detections, and IR capabilities for if/when the successful PWM attack finally occurs. Personally, yes probably worth putting out a hefty bounty, but pragmatically you'd get more out of hiring the engineers.
