My understanding is that nobody hired these guys to do anything and no bounty was offered for anything. So why should there be any expectation for a financial reward?
Security researchers' time is valuable. They spend their own time trying to find vulnerabilities that black hat hackers would use against their users, possibly at a profit. They report it to the company giving them a chance to fix their problems. It's called responsible disclosure, and the compensation keeps the smart guys on your side.
It doesn't even have to be monetary - for example, GitHub maintains a list[1] of people who have responsibly disclosed vulnerabilities, and they often send them a shirt or something similar.
This sounds remarkably like how the squeegee men operate in a big city. Oh, hey, I just washed your windshield, you owe me some money. No? Oops, terribly sorry about that scratch as I walked by.
Except the squeegee men offer a service that you don't really need, and doesn't offer you much value. Responsible disclosure to a company is often much more important than a clean windshield is to you.
