Comment by unyttigfjelltol
6 days ago
Contacting the authorities led the company to hire lawyers— for communication with the data protection authority.
The lever lawyers have to “make it go away” is “law says so.” They’re not going to beg for mercy, they’re not going to invite you to coffee, no “bug bounty.” From their perspective if they arm-wrestle the researcher into an NDA, they patched the only known breach, retrospectively.
Perhaps it’s not prosocial or best practice, but you can clearly see how this went down from the company perspective, with a subject organization that has a tenuous grasp of cyber security concepts.
I think we should stop making excuses for shitty practices. I can understand why they might do it, i can also see there are much better ways to deal with this situation.