Learning the Ropes of Security Consulting?

Tin asks: "I am a web developer and as a hobby, I sometimes find various security holes in application logic (the ones that provide a malicious user with a root access, are not fixed by SPs and hotfixes and can go unnoticed/exploited for years). I then contact the company and, for a symbolic compensation, offer them to demonstrate how a potential intruder could breake in and work with their developers to fix the problem. Some companies can only deal with this in a legal way with a contract, etc. Again, this is a hobby, not a business, and I have no legal expertise in this matter whatsoever. So I would like to ask people who do this for a living and all slashdotters in general: What is the right/professional/legal/safe way to do this? What kind of compensation do you usually go for? Maybe somebody can email me a sample contract?"