make some money
Why not just set it so that if anybody can find a flaw, the company that produced the software get a fine which is paid out to the tester. A % can be applied to how devastating the attack vector is by ENISA and then the company would have to match that for every product sold that is vulnerable to said exploit.
All regulated by the ENISA, I can think if ppl start hoarding exploits and release them once a month generating continuous fines they would start to take security more seriously.
Give people a goal and they will stride for it, the guy who gets paid 30k regardless may not try quite so hard ........