AAVE offers a bug bounty program, as indicated here: GitHub - aave/bug-bounty
The issue with this type of bug bounty program is that they are not using a third-party bug bounty service such as Immunefi or Hats Finance. This is an issue because there is no third-party to actually aide in making sure the bug is paid out, the hacker has to take the protocol at its word. Furthermore, the protocol has to manually sort through all potentially relevant bugs themselves, making it more difficult and time-consuming on the protocol to actually pay out. Ultimately, having a propriety bug bounty does not facilitate a good, healthy bug bounty ecosystem. I agree that AAVE should implement either immunefi or Hats as their decentralized bug bounty service. I also recommend having a larger bounty; 250K is peanuts when compared to the treasury of AAVE.