The best way to reward users is to give them an award that is publicly visible, to encourage others to do the same.
Anecdote: I worked at an organization that, like many others, had a public "share drive." Sometimes I would browse the folders with pictures of coworkers at after-hours events. One time, I decided to see what was on the drive, and I found an Excel spreadsheet with a list of names, last 4 digits of social security numbers, and credit cards. Excel keeps the author's name in the file, so I contacted the author. They replied with "Oh, that file is a temporary file and it gets deleted every 30 days, so don't worry about it." I forwarded the email to the company's head of security, expecting no reply. A month later I was invited to a conference room for something random, and much too my surprise, I was presented with an award in front of 20 or so people in my department. My boss told me it was handed down to him by the head of corporate security, along with an explanation of what I had done. I was in genuinely proud. Because of that event, I was more engaged with the company, and I have taken that security mindset with me. I can only hope that other employees took it to heart as well.
I know the summary is about users reporting internal security concerns. However on a broader note, we need an industry standard fo reporting security issues. Every other day there's some story about an organization that ignored a report, or sued the researcher, or something. We need a standards body to:
1. Create a standard form for submitting vulnerabilities (especially to 3rd-parties.)
2. A standard way to deliver that form.
3. A standard amount of time to wait for a response before disclosing it.
4. A standard form to disclose it publicly, and a list of appropriate organizations to receive it.
5. An industry-accepted expectation that, if you follow these industry standard steps, then you should be safe from lawsuits.