> you open up Tor browser and drop the entire database
Apart from being a federal crime (CFAA), it would be rather obvious by the logs that a user was testing SQL injection on the demo system minutes before the production system was vandalised.
A better option would be to pay the debt, and then let them know you found a potential issue on their demo system. Let them connect the dots between demo system and production system. If they can't make the logical leap, then they deserve whatever someone else does.
Well obviously if you do that you wouldn't be testing the SQL injection for your main connection to begin with.
I'm not arguing against paying the debt - I would pay it in either case. However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).
> However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).
I understand the feeling here, but no, they don't deserve to get their assets destroyed because of a lack of care.`
Well the issue is that there are no penalties. Only free money for lawyers and nothing for the people who got their PII stolen.
Dropping the DB means there's no more PII to leak, makes a pretty good financial penalty for the company and doesn't make millions for useless lawyers. That sounds like an acceptable solution by my standards.
Better to pay your debt, wait till your PII has been removed, then issue a public disclosure of the bug.
Public disclosure because everybody should know about something like this that may impact them. Not because some random vigilante will see it and drop their DB for which they probably have no backups.
Apart from being a federal crime (CFAA), it would be rather obvious by the logs that a user was testing SQL injection on the demo system minutes before the production system was vandalised.
A better option would be to pay the debt, and then let them know you found a potential issue on their demo system. Let them connect the dots between demo system and production system. If they can't make the logical leap, then they deserve whatever someone else does.