We recall a security tester once asking the question whether it might be possible to get paid by the software industry for bugs and vulnerabilities that they found relating to the security of software programs.
The answer to his question was...........................
If you found a pothole in the road, would you call the city and tell them you'll give them the location... for a fee? They told him, why not just report problems for the greater good? You know.... be a good citizen and all that. They said, we're not against what you do, but we are wondering if the software industry will ever value your contribution enough for there to be any real money in it.
What they didn't tell him was how many of their clients were being blackmailed at that time. How many of their customers were paying for buggy software and security software patches - at the same time as paying hackers who were holding them to ransom, in return for information leading to the return of certain confidential data assets.
We don't believe in this good citizen crap. It is just a veil for allowing software vendors to operate sloppily. Best way to approach this is to push back on the software vendors - by hitting them in their pockets. When we are sloppy at work, we lose our job. When we are sloppy driving - we get fined. If they are not going to take responsibility for the quality of their products - someone else will - and in return they should get to pay a large fee.
They make the potholes - after all. They should pay professionals to find them.
Why should citizens pay for crap software products.