Hot take:

Bug bounties no longer provide meaningful value to the companies that run them, nor the researchers who submit to them.

It was always a broken model, but as time goes on, the value they provide is as a guardrail for higher quality pentests. E.g. if a research team only finds IDOR vulns, you probably need a new firm.