There are currently 20 programs that reward researchers for finding security flaws or that that buy bugs outright. In the first ten months of 2011, the pay-for-bugs program Zero Day Initiative credited Luigi Auriemma with discovering 30 vulnerabilities, ranging from issues in Sybase enterprise software to Adobe Shockwave to Apple Quicktime. Despite ZDI s bonus system, his independent research is not a career, he says. The disconnect between the value of vulnerability information to criminals and security firms and developers poses a major problem for protecting information systems.
Source: https://threatpost.com/economics-vulnerability-research-still-skewed-110211/75839/