A few weeks ago the Ministry of Social Development story broke - there were kiosks in the Work and Income offices that were open to the public, connected to the departments servers effectively allowing anyone to walk in off the street and access sensitive information that was being held on citizens currently using the service. It was all fairly horrendous.
At some point Ira Bailey got a bit of criticism for attempting blackmail Winz. Brendon Boyle, the head head of MSD said "Mr Bailey had asked for cash in order to tell the Ministry where the problem was.", an idea reiterated by John Key. From where I was sitting it was sounding very much like an attempt to cast Bailey as a criminal.
There are people who do this for a living though. It's not an uncommon practice for companies to pay individuals a bounty for bugs. And there's evidence to suggest that it's a practice that's paying dividends - there are a limited number of bugs in a given product and Google is finding fewer and fewer. Every time one is reported, it is fixed, and the end product becomes more secure. Rather than vilify those who find weaknesses in their systems Google has recognized the value of the time people have invested in finding bugs and have used them to make it's product better. It's a good deal I think, certainly something that would make me more inclined to use and trust their products over a similar product that doesn't have such a scheme attached.