I can afford it but I would never spend money to submit a vulnerability report. I'd need to be reporting dozens of vulnerabilities on a single site like hackerone to work up the motivation to plug in payment details and risk having them leaked/stolen in order to do someone else's work for them.
I'd sooner click sponsor for the cURL project on github (something I already do for some OSS I use) than spend money to report a bug.
That's my attitude towards this sort of thing as well, but unfortunately it seems that this attitude is unsustainable now that the cost of generating plausible-looking bullshit has been driven to 0. "Pay to prove humanity" seems like one of the only ways to keep something like this running if we don't built a hugely-invasive system of attestation.