By that logic why would he even bother reporting it and have security experts poking around the logs and potentially find traces of his download.
Personally i would have sold it to the highest bidder. Being "white hat" gets you in trouble more often than not.
Il stick to "gray hat" thank you very much. If i ever choose to disclose any vulnerability to the owners i will not reveal my identity and after arbitrary amount of time say... (1 month) if it's still present sell it to the highest bidder let them deal with the consequences.
You have to be strict when teaching people and this is no different. If you let them set the rules they could choose and unreasonable length of time like 1 year before they allow you to disclose anything.
You are the one in the position of power never let them take that away from you. By revealing you identity you give away all your power.
If you're not a threat people don't take you seriously.
> Being "white hat" gets you in trouble more often than not.
Granted. I've lost clients this way, despite having been actually invited to do work on their systems; such experience has taught me that the political concerns around unsolicited vulnerability reporting dwarf the technical considerations involved, and that trying to navigate such minefields is worthwhile only when the status quo is utterly untenable.
> Personally i would have sold it to the highest bidder.
Well, that's a wholly different consideration, isn't it? Saying nothing is one thing. Gravely violating the ethics of your profession, and possibly criminal law as well, is quite another.
Maybe more pointedly - white hat and in high school, OR independent and not well known, OR when dealing with any sort of organization affiliated with government, banking, telecommunications or retail.
I think that covers 80% of this type of story cropping up quarterly in mainstream media.
Because "Being white hat gets you in trouble more often than not." is so obviously untrue to anybody with even the vaguest relation to the industry. It implies that more than 50% of the time, when you disclose a vulnerability responsibly you get in trouble. When it's more likely much much less than 0.1% of the time.
People getting in trouble for reporting vulnerabilities is highly rare. Show me 100 cases of it, and I'll still tell you it's rare.
Most of the industry wouldn't characterize themselves as "white hat" just ask them and they will say their more "gray hat" then white hat.
At least in private anyway if you ask them in public their force to keep up appearances.
Now we can argue about the percentages all day but you have to agree being "gray hat" and keeping the power on your side by not exposing your identity is the safer way to go about it unless you want bragging rights which is whole other level of psychology.
I'm not after the attention I'd rather be the guy who nobody notices.
Personally i would have sold it to the highest bidder. Being "white hat" gets you in trouble more often than not.
Il stick to "gray hat" thank you very much. If i ever choose to disclose any vulnerability to the owners i will not reveal my identity and after arbitrary amount of time say... (1 month) if it's still present sell it to the highest bidder let them deal with the consequences.
You have to be strict when teaching people and this is no different. If you let them set the rules they could choose and unreasonable length of time like 1 year before they allow you to disclose anything.
You are the one in the position of power never let them take that away from you. By revealing you identity you give away all your power.
If you're not a threat people don't take you seriously.