Facebook and Microsoft are winning plaudits from security researchers for launching an initiative to offer bounties to bug hunters who discover and report vulnerabilities in widely used products.