The counterincentive is bug bounties, which are rewards paid by software companies to people who discover vulnerabilities in their products. The idea is that those researchers will then inform the company, which can then patch the vulnerability. Bug bounties can work well, although a hacker can often make a lot more money selling vulnerabilities in widely used computer systems to either criminals or cyberweapons manufacturers.
