> The obvious compromise would be to set two rewards: one for showing the exploit, another for showing its source code, at the hacker's option. By not disclosing the exploit the hacker would give up a higher guaranteed reward in exchange for a chance to make a juicier deal, but they'd be racing against Google's reverse-engineering effort.
I'm not sure if I'm completely understanding your idea... but in your proposed scenario wouldn't Google be sponsoring a place were the actual attackers that want to screw their users can window shop for working exploits? All researchers would be getting money from Google for participating on their contest, to then sell their working exploit that would take Google a significant amount of time to fix to the highest bidding blackhat/government.
OK, it's a screwy compromise, and it wasn't exactly intended by a single party. But it's happening anyway, in the sense that Google is awarding money for full exploits, and ZDI is awarding money for something that is both tasteless advertising, and still allows Google to fix more bugs than if they appeared only on the black market.
I'm not sure if I'm completely understanding your idea... but in your proposed scenario wouldn't Google be sponsoring a place were the actual attackers that want to screw their users can window shop for working exploits? All researchers would be getting money from Google for participating on their contest, to then sell their working exploit that would take Google a significant amount of time to fix to the highest bidding blackhat/government.