vulnerabilities exist. this is true of all systems, no matter who uncovers them
therefore, an intelligent organization: a bank, a military, a government, will have a system where private disclosure of vulnerabilities results in a reward for the discoverer
if you don't have such a policy, a discoverer might turn to finding reward in your vulnerability with your enemies or criminality instead
unfortunately, the discoverer must consider the possibility that if he divulged the discovered vulnerability quietly, the organization he penetrated might find the least costly solution to the problem to be the the disappearance of the discoverer
such that the most moral and safest approach for a discoverer is to go public with the vulnerability instead. which of course invites the wrath of the organization penetrated. its a no-win situation for the moral discoverer of a vulnerability, such that there is constant pressure on white and gray hats to go black