Their argument was that non-aligned security researchers who find security-related bugs ought to be paid for disclosing them to the relevant vendor. No money, no report.[nakedsecurity.sophos.com]