Looking at companies like Mozilla that are actively offering money for "critical" security bugs that meet a list of requirements, this is to be expected now. If they can do it, why not anyone else? I see some companies stepping up and saying "Hey, we want a better product and are willing to pay out on legit un-exploited bug finds that are critical" and I see other companies not doing so and hence, "threat" emails to their developing staff saying something like "Hey, I found this huge bug, what's it worth before I release?".

Mozilla's security bounty program info can be found here and has quite a bit of interesting reads.