A suggestion would be: if you want to research vulnerabilities without the possibility of prosecution, why not research other countries' companies' vulnerabilities, where those countries have no treaty criminal-deportation agreement with your home country? Such companies can still pay you if they appreciate what you've done, but they can't sue you if they don't; and even complaining to their government about what you've done won't really amount to anything in the end.
This, I think, solves the problem, at the cost of raising two other problems:
• Your own government might not appreciate you improving the security of [essential industries of] its enemies;
• the foreign government might interpret the vulnerability research as an act of cyberwar (much like, say, flying your own drones over a foreign military installation as a private citizen would be interpreted as an act of regular war), and your own government might have to trump up some domestic charge to pin on you in order to appease them.
The first factor is more important in time of war (you might be branded a collaborator!); while the second is more important in time of peace (you might be branded an instigator!) So there's probably very few "exactly right" times to do this where you'd likely get away with doing it scot-free.