What other option do these researchers have? Try to sell the vuln on the black market (illegal) or to a state actor (unethical and likely illegal)? Keep quiet about what they found and not get any money/recognition?
Companies are under no obligation to pay and researchers are under no obligation (except ethics, I guess) to turn over their findings. By having some non-trivial payment the companies are encouraging people to provide cheap sec audits for them.
> What other option do these researchers have? Try to sell the vuln on the black market (illegal)
That's probably what GP is alluding to. They do have this option and I can imagine they could get much more money this way, with little or no way to trace the source of a 0day back to them.
> Companies are under no obligation to pay and researchers are under no obligation (except ethics, I guess) to turn over their findings. By having some non-trivial payment the companies are encouraging people to provide cheap sec audits for them.
Well, of course. The question is, whether the amount companies chose to pay is enough to get most people to report vulnerabilities instead of selling them elsewhere, or if those companies are just putting a lot of trust in the strong morals of security researchers?
Is it actually illegal to sell information that a particular bug exists and can be exploited? What if it is sold to the company which owns the software? What if it is sold to one's own government?
What other option do these researchers have? Try to sell the vuln on the black market (illegal) or to a state actor (unethical and likely illegal)? Keep quiet about what they found and not get any money/recognition?
Companies are under no obligation to pay and researchers are under no obligation (except ethics, I guess) to turn over their findings. By having some non-trivial payment the companies are encouraging people to provide cheap sec audits for them.