If you are sending in an unsolicited vulnerability report, I think it's fair to expect the vendor to fix the issue promptly and play nice.
Beyond that, you are willfully making a gamble with your own time. Nobody is forcing you to do that. If you are lucky, perhaps the vendor will be impressed with your work and perhaps will contract you in the future. Or, perhaps they will give you a hefty reward. Another perfectly acceptable outcome is that they will just thank you and maybe send you a t-shirt. A coupon to a corporate store seems a bit impersonal, but you know, gift horse, mouth... In the end, vulnerability reward programs have their pros and cons, compared to building in-house talent, commissioning traditional third-party security assessments, and so on; companies that favor one approach over the other aren't necessarily incompetent or evil. And you know, I'm saying this as a guy who recently bumped our own rewards for XSS to as much as $7.5k... /mz _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
