Unless litigating students is something your startup is interested in, I’d recommend ignoring that line of thinking and just hiring a good pen tester for a few months.
It’s really hard to say what something is worth if you are only allowed to sell it to one buyer. No competition between buyers. The only leverage is releasing the info and screwing a lot of people.
(Also sucks that you can release it anyway. But you do want to source these vulnerabilities from the world at large.)
Yet another reason why open source and collaboration may be better than capitalism and competition. Many hands make light work, with enough eyes all bugs are shallow, and all that.
(To be fair, open source lacks security by obscurity so a project becomes secure after many years and developers join it.)
(Also sucks that you can release it anyway. But you do want to source these vulnerabilities from the world at large.)
Yet another reason why open source and collaboration may be better than capitalism and competition. Many hands make light work, with enough eyes all bugs are shallow, and all that.
(To be fair, open source lacks security by obscurity so a project becomes secure after many years and developers join it.)