Not to mention, the outsider is a complete unknown. Are they an upstanding white hat? Or are they the darkest of greys? You have no idea.
At least an internal employee is on your payroll, and has been screened with a background check. You don't get to screen which people get to discover vulnerabilities.
. . . except for the outsider who mailed them about it and got paid a chunk of money as a result.