[jdiez17]

Security researchers' time is valuable. They spend their own time trying to find vulnerabilities that black hat hackers would use against their users, possibly at a profit. They report it to the company giving them a chance to fix their problems. It's called responsible disclosure, and the compensation keeps the smart guys on your side.

It doesn't even have to be monetary - for example, GitHub maintains a list[1] of people who have responsibly disclosed vulnerabilities, and they often send them a shirt or something similar.

[1] https://help.github.com/articles/responsible-disclosure-of-s...

[tedunangst]

This sounds remarkably like how the squeegee men operate in a big city. Oh, hey, I just washed your windshield, you owe me some money. No? Oops, terribly sorry about that scratch as I walked by.

[Yen]

Except the squeegee men offer a service that you don't really need, and doesn't offer you much value. Responsible disclosure to a company is often much more important than a clean windshield is to you.

[gradstudent]

> Security researchers' time is valuable.

Maybe. But nobody asked these guys to do a thing. Ergo, no foul.