Comment by tptacek

4 months ago

I don't think this is true. I'm not a lawyer and this is not legal advice, but I think it's hard to fit the elements of an extortion statute to a "threat" to disclose the results of technical research work you yourself did. Moreover, if a vendor is working with HackerOne, they've already implicitly consented to their norm of non-disclosure in exchange for payment. Further, in something like 15 years of bounty programs, I haven't heard of any cases like this having been filed --- and bounty researchers threaten to publish all the time.

I also disagree that there's anything ethically dubious about it.

1 comment

tptacek

Reply
buzer  4 months ago

Depends on country as well. There was recently a case in Finland where a couple of people found issue in certain locks made by Abloy. They were offering to sell the details to Abloy and suggested that they could alternatively publish them in Youtube. They were found guilty for extreme blackmail (I'm not sure if extreme is the proper term in English, essentially just more extreme form due to e.g. demanding a lot of money). They are planning to appeal it so there is chance it will get overturned.