Here is the story. There is a private company that has a software product that thousands of its customers use. After spending a few nights without sleeping in reverse engineering of that product, I identified a critical defect in it. The reason I explored this product was purely sporty: reverse engineering is my hobby and nothing more.
But during my exploration I identified a very serious defect that I did not expect. Exploiting it will mean extracting a lot of money from the users of that software (customers of the company).
Now I am not going to exercise that idea to steal money from other people, that is beyond my moral principles. Although someone who is not really linked to such principles could earn "much" money, permanently (for months or years), without a trace.
I think it makes sense to mention that this is the company that makes money when its customers lose money, basically. Imagine financial commerce, money loans, gambling, etc., that kind of industry. So nobody really "loves" them (including their clients), and they know it, and they agree with that.
I think it would be fair, that I could sell this vulnerability information to the company for a large sum, but I'm not sure how (if it can do so). Just revealing the feat to the public, even proving (without revealing the details) that such vulnerability exists (and has always existed!) It would be a great blow to the company, as they will likely lose a large portion of the customers. However, (and even considering that the company earns millions of dollars per year), I am almost certain that they will not be willing to pay me anything unless I present a 100% proof.
The dilemma is: how to explain the magnitude of that vulnerability, without revealing clues about where to look for it. If I disclose the software product, and what kind of action contains what kind of vulnerability, I am pretty sure that they will try to investigate the particular possibility in a particular use case, and eventually they will find the vulnerability themselves. On the other hand, if I'm going to be lazy ("I found something in one of your products, which can be used to steal money from your customers"), I'm pretty sure they won't believe and won't pay anything.
If I disclose the information without demanding anything, that is, for a good faith reward, I am sure that they will not issue any reward. They are just that kind of company: they don't care about security researchers in good faith. They will fix it even without responding with a "thank you" email.
Any kind of advice will be greatly appreciated. Isn't it fair to expect some kind of payment from the company in such a situation? I have never dealt with such a situation before (as I mentioned, RCE is just a hobby for me).