Isn't it interesting how times change? In the distant past if you pulled this kind of thing you could expect to be shot or suffer some other kind of untimely demise, but now the level of entitlement in some sectors is so high that people expect to be paid rather than prosecuted. That's not so say that vulnerability researchers shouldn't be paid, mind you, but that that kind of arrangement should be in place before hand (whether through some sort of contract or open bug bounty program), not after.