Jonathan Christo­pher thinks that soft­ware secu­rity boun­ties are spec work:

It’s just occur­ring to me now that con­tests like these are just like the design con­tests that con­sis­tently get lam­basted each and every time they crop up. I likely don’t hear any recoil about these browser secu­rity con­tests because I’m not in that com­mu­nity, but I’m curi­ous how secu­rity firms feel about things like this.

I dis­agree, how­ever, if only because one is sub­jec­tive, and one is not. Your design com­pe­ti­tion entry may or may not get picked and paid for, but if you find a legit­i­mate exploit you are going to get paid.