Over the last two decades the penetration-testing / vulnerability assessment market went through a series of evolutionary waves that went like this…
1st Wave: “You think we have vulnerabilities and want to hire an employee to find them? You’re out of your mind!"
The business got over it and InfoSec people were hired for the job.
2nd Wave: "You want us to contract with someone outside the company, a consultant, to come onsite and test our security? You’re out of your mind!"
The business got over it and consultant pen-testing took over.
3rd Wave: "You want us to hire a third-party company, a scanning service, to test our security and store the vulnerabilities off-site? You’re out of your mind!’
The business got over it and SaaS-based vulnerability assessments took over.
4th Wave: "You want us to allow anyone in the world to test our security, tell us about our vulnerabilities, and then reward them with money? You’re out of your mind!"
Businesses are getting over it and the crowd-sourcing model is taking over.
The evolution reminds us of how the market for ‘driving’ and ‘drivers’ changed over the last century. People first drove their own cars around, then many hired personal drivers, then came along cars-for-hire services (cabs / limos) with ‘professional’ drivers that you didn’t personally know, and now to Uber/Lyft where you basically jump into some complete stranger’s car. Soon, we’ll jump into self-drivers cars without a second thought.
As we see, each new wave doesn't necessarily replace the last -- it's additive. Provided there is an economically superior ROI and value proposition, people also typically get over their fears of the unknown and will adopt something new and better. It just takes time.