Comment by jjmarr
4 months ago
You can't ask for money in exchange for not revealing a bug. That's blackmail which is illegal and ethically dubious.
White hat hackers do not require companies to pay them in exchange for not revealing a bug---the reveal of a bug only happens if a company doesn't fix that bug. Companies can be jerks and refuse to pay anything. That doesn't give you the right to blackmail them---you and other security researchers can just refuse to help them in the future.
A refusal to fix the vulnerability is what happened in the original blogpost, so it was fair game for release since the company doesn't care.
Hackers that don't care about ethics or legality won't bother blackmailing companies with vulnerabilities. They'll sell or use the vulnerability to steal more important data, and blackmail companies for millions of dollars in crypto.
I don't think this is true. I'm not a lawyer and this is not legal advice, but I think it's hard to fit the elements of an extortion statute to a "threat" to disclose the results of technical research work you yourself did. Moreover, if a vendor is working with HackerOne, they've already implicitly consented to their norm of non-disclosure in exchange for payment. Further, in something like 15 years of bounty programs, I haven't heard of any cases like this having been filed --- and bounty researchers threaten to publish all the time.
I also disagree that there's anything ethically dubious about it.
Depends on country as well. There was recently a case in Finland where a couple of people found issue in certain locks made by Abloy. They were offering to sell the details to Abloy and suggested that they could alternatively publish them in Youtube. They were found guilty for extreme blackmail (I'm not sure if extreme is the proper term in English, essentially just more extreme form due to e.g. demanding a lot of money). They are planning to appeal it so there is chance it will get overturned.
To correct you, the revealing of a past bug happens almost all the time when a company does fix the bug- that’s what lets researchers publish their findings and show the work they do publicly, and usually gives the company some positive PR for showing their willingness and responsiveness to fix issues. See the CVE program.
Gotcha. The moment you attach a monetary condition it can be seen as extortion. In that case I believe the only responsible thing to do is disclose using customary, reasonable waiting periods.
"Since you don't consider this a vulnerability worth fixing, I feel obligated to let people know their zendesk might be misconfigured".