Upon the suggestions from other commenters, I've had recent interaction with huntr.dev. I maintain an open source project and had a few members on there report vulnerabilities over the last month or two. They seem to pay out both to the finder of the vulnerability and the maintainer (me). The process seemed a janky at first but they've improved the platform since my first interaction and they seem to be encouraging a good thing. Had a few false reports but that has been outweighed by well-defined genuine reports.
