Michal's points aren't moot, and do approach the problem from an economic standpoint. Someone should obviously sell their work to the highest bidder, but then we also have to factor in several external factors.
First, crime does pay, but it has drawbacks. Becoming known as a criminal could limit your ability to get work later, and likely isn't in your best interests. You could also end up with various penalties. If someone did free research on a business's physical security, and then told the owner they'd sell the results to them or to the gang around the corner, they'd likely end up dealing with prosecution. I feel like doing the same thing with respect to software security is really equivalent.
Second, being percieved as either a criminal or someone with low ethics will also reduce people's willingness to hire you. I know some very sharp security people who I won't hire because I don't trust them. There are other sharp people I can trust that can do the job, too.
Third, being viewed as someone who works in a responsible, ethical manner can have huge payoffs in terms of future work and marketing value. The value of a vendor saying "thank you" can be quite high - I have personal experience with this.
Another aspect that's hard to factor depending on the vendor is what the value of a bug is to the vendor. Someone working internally may find dozens (sometimes hundreds) of bugs/year, which establishes what a vendor thinks of as a reasonable value for a bug. An external researcher is likely less efficient at finding bugs, and places a higher value on their work than the vendor would. This leads to an inevitable conflict.
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
