That is a great question.
This is why I believe hacker-powered security is so powerful. If there are a lot of people who have the same incentives, we believe that there are always more people who will be able to find the same vulnerability. If one of those people, whether they're a criminal or not, decides not to disclose that security vulnerability, they run the risk of other people identifying the exact same vulnerability and disclosing it to the organization.
We've never set out to compete against the black market where, essentially, zero-day vulnerabilities have been traded, either with governments or private organizations. The bug bounty programs have definitely created a reverse incentive for these black hat hackers to go after these vulnerabilities, because the prices are essentially going up simply because the chances of people with good intentions finding the same vulnerability are skyrocketing today.