Yes, that's definitely more moral than my suggestion. However, you have to remember that not all "security researchers" are going to be so moral, and many of the more moral ones will simply not bother because they're not getting paid for their work. So users both gain and lose when you report an issue without compensation. It seems to me to be better to try to force the company into changing their policy, like what happened in this story. But it should be done without putting innocent users at risk (contrary to my original comment.)
