Security researchers that reach out to us to report security bugs should receive some credit for it. We may not have the ability to award money like Facebook or Google, but we can confer a bit of fame. This could either be a new section in Special:Version.
Not all those who disclose vulnerabilities wish to be identified, so we should make sure to ask first, and allow people to be credited under a nickname rather than a real name. We should also have an e-mail address inviting people who have disclosed vulnerabilities in the past to get in touch with us if they want to be credited.