This is an examplary response from google. They respond promptly (with humor no less) and thank the guys that found the bug. Then they proceeded to pay out a bounty of $10.000.
Well done google.
Maybe someone could set up a firm where individuals could hand them a vuln report, and then the firm would contact the vulnerable company on the individual's behalf. The firm would do the long, boring dance of "we suspect you're vulnerable to X, though we haven't tested it, but we'd like to do a free vulnerability test on you, so please sign this liability waiver", both protecting the individual from liability, and taking time the individual doesn't have. In return, if the company gives rewards, the firm could take a percentage.
I think you have a winner on your hands.
I may not have the option of changing bank because the others are even worse.
however I don't know how much I would pay for that. Probably some kind of class action would work.
The only thing I can think about is some security firm doing this, using the exposure as a marketing tool and establish them as an authority on the subject.
Just remember, many sites use the old certificate expiration even though they generated new certificates which shows up as a false positive on the checking tools.
Am I missing part of the story?