Also, software people: charge more.
Go to the big bug bounty targets and get better terms than are publicly available in return for higher productivity and better reports. This asymptotically approaches making you a retained security consultancy.
If you’re dominating the internal leaderboard which of these asks is out of bounds:
a) A complete description of all their properties
b) Heads up about new services
c) A named engineering contact and 24 hr response SLA
d) A deposit against your future bugs