So if someone tries to find a vulnerability you post his IP ? This might, or might not, be his actual IP, but aren't you supposed to keep this information (and other you might collect) private ? He/she might be trying to help you after all...  if I had any interest on this, now I would surely never give it a try.

Also, every related program I've seen paid much more than what you're offering. I don't see why anyone not so honest with an actual bug would sell it to you. Be clear about what you would actually pay, "There is no maximum reward" is not clear at all.

Finally, if you intend to help the community, you should disclose the bugs reported after you fix them.