Aside from the obvious ethical reason, I see two reasons more important than the $1,000 to go "white hat" rather than "black hat".
When a potential employer Googles my name, I want them to find my name on CVEs, Github commits, etc. - demonstrable proof that I do in fact find and fix real-world issues. I'm working on that. Right now, I'd have to point out my contributions, they aren't easily found via Google. For that, having a company or other organization publicly acknowledge my work is much more valuable than $1,000, if it helps me land a great job.
On the other hand, selling it on the black market could put me in federal prison. If the god guys offer me $1,000 plus a reputation boost, while the bad guys offer me $5,000 plus a possible prison sentence, I think I'll take the good guys' offer. That $1,000 could, in some cases, be enough to pay someone's past-due rent so they don't feel they have HAVE to capitalize on it in a bad way.
The other scenario I see is that several times per year I notify a smaller company of some security hole I noticed in passing. I haven't thoroughly probed it, just noticed "gee, it throws an error on O'Doole, it's probably not escaping the input and therefore vulnerable to SQL injection". Sometimes I don't bother to track down the proper person to notify and go notify them. Sometimes, I send an email to the only readily available email address, customer service, and the $8 drone on the other end replies with a form letter wholly inappropriate to the situation, so they obviously don't understand what I told them. In those cases, I'll likely not spend much time trying to find another person at the company. If most companies paid even $100 for a bug bounty, that would make it worth my time to spend a few minutes finding their report form and use it. Heck, at $100 per SQL injection vulnerability I could make a good living finding and reporting those for six hours per day.