Although I think vulnerability discovery is a bad idea, I think it only fair for researchers to begin to keep track of how much time they put into the work. Vulnerabilities found per day/week/year would be useful information for security professionals to know.

So I propose that those researchers that claim to comply with "responsible disclosure" principals provide one more detail associated with any new vulnerability disclosed – a cumulative measure of how many hours it took them to find it.