This is definitely the way to go...it shows those out there they can make money upfront from the company providing the software if they find a security flaw and don't abuse/make public. Of course, there's the line of questions as to wonder how integral their checking will be otherwise someone'll find the bug, abuse it, make it public on some off-shore web server and then try to cash in maybe...who knows?