Yes, and they're a less time-efficient way to get a serious read-out of application security than a pentest is. A lot of companies run bounties because they think they're "supposed to", but really, no.