I also wanted to mention that in the last few years many large companies have subscribed to hackerone’s “bug bounty” program where people who find an exploit are encouraged to report it through that service and they will indeed be paid if they are the first to report it. It seems to work out well for everybody and I don’t consider it unethical. To me, this is more like when a county government puts out a bounty for a particular invasive species and everybody who wants to participate in the collection gets paid for what they collect.
ZenDesk is one of the companies that participates:
Reporting Security Vulnerabilities to Zendesk
Zendesk aims to keep its Service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us in a responsible manner.
Our responsible disclosure process is hosted by HackerOne’s bug bounty program. Please visit our HackerOne portal located at https://hackerone.com/zendesk to report any security vulnerabilities. Only vulnerabilities submitted there will be eligible for a reward.
If you previously responsibly disclosed a vulnerability to us, thank you. Our list of contributors continues to live on at Hackerone and can be found here: https://hackerone.com/zendesk/thanks/prior
Android itself has a bounty program that can pay a couple thousand dollars.
We’re launching Android Security Rewards to help reward the contributions of security researchers who invest their time and effort in helping us make Android more secure. Through this program we provide monetary rewards and public recognition for vulnerabilities disclosed to the Android Security Team. The reward level is based on the bug severity and increases for higher quality reports that include reproduction code, test cases, and patches.
Chrome, Google, Dropbox, Facebook, Pebble, AT&T, Deutsche Telecomm , Github, Instagram, PayPal, Spotify and many other major companies have similar published programs, each with their own rules and reward levels.
So I do think at this point as a general industry practice receiving a bounty for being the first person to report and adequately document a critical bug is considered both ethical and reasonable.
Note that this is all a big change from 10 or 15 years ago. But most companies welcome these reports and do find them valuable.