Here’s a thought: pay security researchers, and get the pay from a variety of sources:

According to Herman Zampariolo, CEO of WSLabi, We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.

— Finally a Marketplace Site for Security Research, WabiSabiLabi, Tuesday, 03 July 2007

It’s not clear to me that they would be "forced" to sell them to cyber-criminals, but this should give them incentive not to. And WSLabi first verifies who the researcher is and replicates the exploit independently before packing and marketing it, thus reducing chances of fraud or mistaken identification.

This auction of vulnerabilities follows on some previous steps. No doubt it’s going to get some bad press. But it also looks like a way to get many more eyes making many more bugs easy. The affected vendors, whether big companies or open source software efforts, probably can’t hire as many researchers as they can find this way. This looks to me like coordinated detection and response possibly even before a vulnerability has been exploited.

This auction could even serve as a reputation system for software vendors. And I wonder if a similar marketing move could work for Internet performance?

-jsq