A few years back, a blog written by hackers emerged on the Romanian market. Back then, I was working as a web developer for the biggest jobs site on our market (>3M revenue).
One morning, we got an email from the guy who started the hacker blog. It was a simple SQL injection that revealed a lot of sensitive data like user emails and contact data. We were instructed to fix this in 24 hours or he would go public and expose our error to the public. Nice guy, he gave us the benefit of the doubt. If we were a serious business, interested in the security of our users' data, we'd jump and fix things. If not, we deserved to be exposed.
We spent the entire day going through every single script on the site and tried to secure everything we could think of. The coding had been done years before by a different team and we found a lot of security holes.
The second day I went to my boss and told him the only way we're going to get them all is to hire the hackers to mess us up as badly as they could.
It was a win-win for everybody.
So, what I'd suggest is this:
1. Don't target startups. They have so many on their plate and so little resources, a small-to-medium security flaw won't be a huge priority. Making payday and turning a profit is top on their list.
2.Target companies with a lot to lose due to security. Go for the big guys.
3. Find one error, report it to the highest management level you can find contact details for, explain the risks and pitch your service.
I'm currently running a SaaS where data security matters. We already did a crowdsourced vulnerability test and it was a pain to set up. I'm really happy to have found out about you guys!
If you'd like to brainstorm a few more sales ideas, let me know, give me a few days to do some research and book a call.
Either way, let's keep in touch!