Fame, reputation, marketing, using 0day in pen-tests, etc.

This isn't new, security companies have been paying contractors for unpublished advisories and exploits for over 15 years now.