I present security research in big conferences. This means that I find a serious security threat that affects many systems, and then I do not say anything to anyone for 6 months so that, when I do, I can get more publicity.
Don't you typically inform the system's owner as soon as you discover the vuln? You still get "credit" in that case, don't you? Somehow I suspect you're not really a security researcher...
In a lot of non-tech business, they would probably not award credit. Some would even sue you for even implying that their "perfect" brand could be vulnerable.
It's not really theirs to give, is it? If a researcher has a credible narrative of what she found, when she found it, some logs and other records, and any history of research at all, most people would believe her even if the owners of the researched system said "nuh uh we're perfect don't believe anyone who says otherwise!" Especially since such a system would be less likely to be fixed at the time of the presentation, so anyone interested could verify the vulns for themselves.
Of course the courts are open for business no matter what the circumstances, so a researcher might not take credit so as to not be sued.
