I don't feel like its hard to come up with examples where (I would say) its ethically wrong to disclose immediately. If you spotted a company's mistake that might endanger their user's lives or safety, would you put those users at risk simply because there was no obvious financial reward?
If so, I guess we just have different opinions on the ethics involved here.
You seem to have a very bright line between the acceptable behavior for “no money involved” and “money involved”.
For me, it’s more subtle than that.
Everybody (“almost all software”) has exploitable bugs. Are you a fool for not finding the ones in yours? Maybe. Sometimes.
There is a huge difference between Project Zero finding a trivial vulnerability almost identical to one reported months earlier (close to negligence) and Mullvad having the CEO personally posting a response here in a very calm tone.
I don't feel like its hard to come up with examples where (I would say) its ethically wrong to disclose immediately. If you spotted a company's mistake that might endanger their user's lives or safety, would you put those users at risk simply because there was no obvious financial reward?
If so, I guess we just have different opinions on the ethics involved here.
If you are talking about some open source project then I would fully agree.
But when it comes to money making corporations then personally I dont agree that revealing flaws in their product comes into ethics at all.
A companies paid product is flawed, their own paid engineers didnt figure that out, why should I do it for free becasue 'ethics'?
This is the entire reason bug bounty programs exist in the first place.
You seem to have a very bright line between the acceptable behavior for “no money involved” and “money involved”.
For me, it’s more subtle than that.
Everybody (“almost all software”) has exploitable bugs. Are you a fool for not finding the ones in yours? Maybe. Sometimes.
There is a huge difference between Project Zero finding a trivial vulnerability almost identical to one reported months earlier (close to negligence) and Mullvad having the CEO personally posting a response here in a very calm tone.
1 reply →