David Wheeler wrote an interesting article about the economics of vulnerabilities. He fears that the current "'vulnerability bidding wars' [...] will create an overwhelming tsunami of zero-days available to a wide variety of malicious actors." Beside describing some general problems of bounties in the security field, the main point of his article is the idea to increase security by criminalising the selling of "vulnerability information to anyone other than the supplier or the reporter's government."

About the effects of the vulnerability economics on Free Software Wheeler writes:

The current situation might impede the peer review of open source software (OSS), since currently people can make more money selling an exploit than in helping the OSS project fix the problem. Thankfully, OSS projects are still widely viewed as public goods, so there are still many people who are willing to take the pay cut and help OSS projects find and fix vulnerabilities. I think proprietary and custom software are actually in much more danger than OSS; in those cases it’s a lot easier for people to think “well, they wrote this code for their financial gain, so I may as well sell my vulnerability information for my financial gain”.