In recent years, the need for security researchers has skyrocketed to epic proportion. Bug bounty programs have become a necessity to help organizations in their search for a more robust security. The problem arises in the absence of vulnerabilities disclosures policies. Many researchers do not provide their findings for fear of being prosecuted.

A group of researchers came together in 2021 to create a model using information from HackerOne to try to find the more common reasons for security researchers to not provide their findings and the results were quite telling. First many hackers do not put a lot of weight into financial compensation, instead they preferred the exposure and bragging rights. Only hackers more seasoned, 2-3 years of experience and exposure put more weight into financial gain.

Another result was that reports were less in financial, retail and health industries than the rest. These industries have more value on the black market and many security researches are tempted to keep those reports.

One note that I want to clarify that the same year that the report this entry is based a few months later the Cybersecurity & Infrastructure Security Agency Developed and published a Vulnerability Disclosure Policy. This platform was created to help federal agencies and private organizations can benefit from the knowledge in the research community.

References:
https://academic.oup.com/cybersecurity/article/7/1/tyab007/6168453?login=true
https://www.cisa.gov/resources-tools/services/vulnerability-disclosure-policy-vdp-platform