Jonathan Christopher thinks that software security bounties are spec work:
It’s just occurring to me now that contests like these are just like the design contests that consistently get lambasted each and every time they crop up. I likely don’t hear any recoil about these browser security contests because I’m not in that community, but I’m curious how security firms feel about things like this.
I disagree, however, if only because one is subjective, and one is not. Your design competition entry may or may not get picked and paid for, but if you find a legitimate exploit you are going to get paid.