[HomeDeLaPot]

I suppose the illegal part would be the student threatening to disclose the vulnerability to others if you didn't pay. That seems like crossing the line into blackmail and being an accomplice of whoever he discloses to. But the student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay. I can see the difficulty though, I guess you'd need to have his identity so you could legally pursue him if there was no vulnerability and he ran away with the money. Or maybe you could write up some sort of contract requiring an in-person demonstration...

[phkahler]

>> student wouldn't be legally obligated to inform you of a vulnerability, and it wouldn't make sense to if you weren't willing to pay.

Which leads to a very interesting situation in negotiating. It's not the first time someone tried to sell information or an idea without getting ripped off. But how can one agree the value of information without knowing it. Is there a standard word or phrase to describe that situation?

[vladTheInhaler]

The thing that is missing here would seem to be a sort of zero-knowledge proof.

[unishark]

perhaps a third party both sides trust is hired to appraise the value

[foepys]

Those things already exist but ultimately bugs and exploits are too niche. A trusted third party cannot rule by themselves but is always required to ask both sides about the bug's impact. Since both sides try to frame it as both high and low impact at the same time, you make both parties unhappy in the most cases and become untrusted.

[flagrant]

Sounds like a standard Catch-22.

[kortilla]

Finder’s fee