Can you give me an example when it did happen or it did indeed work?

I don't claim to have first-hand experience, that was just a suggestion. But there is a recent study on how maintainers respond to bug bounties here: https://arxiv.org/abs/2409.07670 .

Thanks! Got the paper, will read ASAP, hopefully. At the meantime, I have added a couple of real world examples to the comment you originally replied.

So there's some more words from the mouth of the people inside this.

https://news.ycombinator.com/item?id=39912916 they did get some funding after asking.

The title of the linked HN story is "Microsoft offered FFmpeg small one-time payment instead of support contract".

So FFmpeg said that they need a contract for that, and they have given a couple thousand dollars as a one-time contribution.

I mean, "a few thousand dollars" for something underpinning Teams, is unacceptable. They probably charge 10x much for a small client for their yearly license.

C'mon now. This is not even satire.

I agree MSFT should have paid way more.

My point is if that FFmpeg, tried to raise more awareness of the issue, say talk to news outlets, they could get much more funding from MSFT.

Furthermore, big companies like Google, Microsoft care a lot about security. So they could raise money for security engineering like fixing memory corruption issues. Of course, FFmpeg could complain Google, Microsft doesn't care about all the high severity vulnerabilities in FFmpeg. That would be much more of an eye catcher.