You're not entitled to a bounty just because you found a bug. Some companies offer these bounties and it's good that they do, but that doesn't mean every company is obliged to offer them, or that a company that offers bounties for some bugs is obliged to offer them for all bugs.
How about a moral obligation? Honestly, it sounds like if a taxi driver returns a bag full of cash to the owner, it is perfectlly alright if they just say "Thank you" and walk him to the road. Legally: nothing wrong, morally: being a greedy asshole.
Frankly if a taxi driver bitched on his blog about someone doing that I'd be saying the same thing. It's nice when someone gives you a reward for doing the right thing. But you shouldn't act like you're entitled to it, because you're not.
> But you shouldn't act like you're entitled to it, because you're not.
Depends where you are. In Germany you are entitled to a finder's fee by law (in the case of the taxi only if the value is > 50€ and only 2.5% instead of the normal 5%)
It should absolutely be in the interest of companies to reward security researchers who find flaws in their systems. Otherwise, they will be screwed by the less scrupulous.
That's a false analogy. Taxi drivers are obligated to return lost property, but nobody is obligated to report bugs. That's why you create an incentive to report, i.e., the bug bounty.
Aye! Its not a perfect analogy but I was pointing out why people should reward the guy if he didn't exploit the situation in a wrong way. In this case, it was the whole source available to him. Albeit, he was more or less inclined to report the bug but what if he hadn't and probably sold it somewhere? why shouldn't the company reward for his effort.
As an aside this very thing is an excellent example of how extrinsic motivators can "poison the well" as it supersedes intrinsic motivation. Dan Pink gave a great talk on this -- http://www.youtube.com/watch?v=tJr9QajdCNc (sorry, I prefer the illustrated version).
