Paying bug bounties is more cost-effective than a security team, study finds