Comment by tlb
6 years ago
I can't imagine selling bugs to the highest bidder ever becoming ethically acceptable. You can't pretend not to know that the high bidder is probably a cybercriminal. If you do this, your hat is clearly black.
Once upon a time, vulnerabilities were just nuisances and people could justify some gray-hat casuistry when the damage was just some sysadmin overtime to clean up. But now there are serious organized crime rings and rogue nation-states using vulnerabilities to steal and extort billions and ruin people's lives.
It's OK to choose not to work on products with no bug bounties, but if you do find a bug in one you must disclose it responsibly.
>you must disclose it responsibly.
While most people agree selling a vulnerability is immoral, there is much debate on whether "full disclosure" is ok, and whether "responsible disclosure" is a term anyone should ever say (some argue the correct term is "coordinated disclosure").
https://news.ycombinator.com/item?id=18233897