I like the idea and think - executed correctly - it could be big. BUT, I think the approach you take has got to be very careful otherwise you create a brand impression that makes you far less attractive to potential customers.

No one wants to admit that there is even a potential for security breaches in their site so despite the significant value your service potentially provides, there are a lot of hurdles to a sale here.

I would caution against approaching companies with a flaw discovered as a selling point. It had potential to create the wrong perception and it would involve cost to your community without guaranteed payout.

I would also consider broadening the service to in-depth technical testing. UserTest (IMO) doesn't deliver on real QA needs so making security vulnerabilities part of the service might be better for everyone.

I'm sure in a call for 30 minutes or less, I could give you some very specific tactical advice that would increase your initial success.

Either way, best of luck!