And thus is why hackers profit...
You take an honest researcher attempting to Do The Right Thing by telling the company first about security flaws in their product. Company makes oodles & oodles of money but can't be arsed to give any of that dosh to the folks trying to help them help themselves. Honest researcher gets an offer from dishonest hacker to pay money for undisclosed flaws. Now honest researcher has a choice: keep trying to DTRT with a company that snubs them, refuses to pay them, and at best might mention their name in some later patch, or a quick buck right now from someone that is delighted by said researcher's work. It doesn't take a rocket surgeon to figure out where that situation is headed...