Really, what is a good argument against companies paying for security exploits? It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead?companies have an opportunity to leverage the hax0r community to strengthen their own products. would it not be better to know about vulnerabilities such that they may be fixed?
the same thinking applies to sales of human organs. wouldn't it be better to get access to as many organs as are needed than to stick to some strange protectionist strategy? (i call it protectionist because there are parties that profit from organ sales already, just not the family of the deceased.)
it's time to re-think our knee-jerk policies and use markets to start solving problems.