When I help companies to fix security issues I do not ask anything in return.
I come across a security issue on Mixpanel when auditing private client on Cobalt.io and I send to Mixpanel a little security advisory describing a Reflected Filename Download vulnerability with a couple of screenshots.
Mixpanel security team fixed the vulnerability very fast showing that they care about security.