"If the full exploit & technique are shared with the vendor, we will probably *not* enter.."
At first I thought that comment was a little selfish, especially if you get 100k for a demo. Then however, you ONLY get 100k for a demo, and that seems like an extremely fair price for a demo. The demo will lean heavily with hints on how to fix the problem, so 100k might be too cheap! Not too mention, the respective company got of really cheap for what could of been millions in R&D. So I can see why honest people wouldn't want to disclose the entire process, which is essentially doing a possible multi-million dollar job for just a crumb of the cake.