Sounds like a third party might be able to improve the situation by providing escrow.
With their first bugs, researchers are entirely unknown quantities to the company. Stating, "I have a critical zero-day, but I won't tell you what it is until you pay me $BUCKS," clearly won't work.
A reliable escrow service, to whom the researcher can provide the exploit and the company can provide $BUCKS, offers insurance to both parties. If the exploit is not as described, the researcher loses the exploit entirely and gets no $BUCKS, but if the exploit is as described, the company cannot renege on the deal.
(Edit, addressing the direct question more-clearly: perhaps what is necessary to avoid the perception (and reality) of extortion is the emergence of accepted professional understanding for assessing the value of exploits. Without such a system, there will always be a strong incentive pushing people in the direction of blackhat work.)
With their first bugs, researchers are entirely unknown quantities to the company. Stating, "I have a critical zero-day, but I won't tell you what it is until you pay me $BUCKS," clearly won't work.
A reliable escrow service, to whom the researcher can provide the exploit and the company can provide $BUCKS, offers insurance to both parties. If the exploit is not as described, the researcher loses the exploit entirely and gets no $BUCKS, but if the exploit is as described, the company cannot renege on the deal.
(Edit, addressing the direct question more-clearly: perhaps what is necessary to avoid the perception (and reality) of extortion is the emergence of accepted professional understanding for assessing the value of exploits. Without such a system, there will always be a strong incentive pushing people in the direction of blackhat work.)