>How about simply being a decent human being?
This one cuts both ways. As has been pointed out, a big (US) company is making money out of this software - are the people with the chequebooks being "decent human beings" by not rewarding bug finders at rates that reflect the work involve?
I thus suggest "decent human beings" don't expect everyone to cover their own costs and work for free. In some respects I suggest finding a security hole and them crafting an exploit to use that hole is more akin to creating a work-of-art, so perhaps bug finders should be sending the results of their work to auction.