> “Not much. The real incentive for finding a vulnerability in cURL is the fame ('brand is priceless'), not the hundred or few thousand dollars. $10,000 (maximum cURL bounty) is not a lot of money in the grand scheme of things, for somebody capable of finding a critical vulnerability in curl.”
That's the choice as seen from the perspective of a white-hat hacker. But for an exploitable vulnerability, the real choice is to sell it to malware producers (I'm including state-sponsored spyware companies like the makers of Pegasus in this category) for a lot of money, or do the more moral thing and earn at least a little bit of money via a bug bounty program.
That's a story that people like to tell to justify bug bounty programs, but it strikes me as very unlikely that some random pentester / white-hat hacker would have access to communication with malware producers.
Black-hat hackers seem entirely unreasonable to deal with, you'd have to manage some sort of escrow payment (because neither party trusts the other) probably through cryptocurrency, and then deal with laundering the money, et cetera.
Perhaps one could as you theorize, go to some private company, but it'd have to be at least somewhat approved by the white-hat hacker's own government lest they risk legal trouble, and I'm still dubious that the company would be all that willing to pay for some "freelance hacker's" supposed vuln.
That's the choice as seen from the perspective of a white-hat hacker. But for an exploitable vulnerability, the real choice is to sell it to malware producers (I'm including state-sponsored spyware companies like the makers of Pegasus in this category) for a lot of money, or do the more moral thing and earn at least a little bit of money via a bug bounty program.