Many big companies are running bounty programs for security issues discovered in the wild. This makes a lot of sense when your company is crucially depending on making sure you are running tight security around your products and services.
For an open-source project distributed under a very liberal license (Apache 2.0), the benefits of paying bounties for bugs is less obvious. Since Mbed TLS is used in pretty much anything embedded that needs secure connections over untrusted networks, it can be found inside lots of products distributed by companies who deeply care about security. In many cases, those companies all report and contribute back very quickly whenever a security issue is found in the library. Those contributions make it back into mainstream Mbed TLS with every released version.
We also receive bug reports and contributions from academics who routinely break TLS stacks for a living. These contributions are absolutely invaluable as they impact millions of devices running Mbed TLS. Those bugs are most often published and corrected within a 90-day notice period and upstreamed to the main branch.
Over the past two years, we have seen the number of requests for bounty payments trickle down to a handful, while the number of bug reports and pull requests has remained fairly steady. Mbed TLS users obviously care about security and they contribute back upstream without asking for rewards, probably because they use the mainstream version in their products and do not wish to maintain their own Mbed TLS branches.
We took the decision to suspend the bounty program as it seems to have had very little impact on the number of bug reports and amount of help we are receiving from the community. We may want to re-visit that later if there happens to be a strong demand for it. Do not let that deter you from contributing: pull requests are welcome! Every contribution is duly attributed in release notes and through GitHub history.