|
|
|
|
|
|
by OscarCunningham
3245 days ago
|
|
|
Yeah, I agree 100%. But in a lot of the cases mentioned in this thread the private data of the company's customers was at risk. For example system in the original article allowed you to access other people's name, address and national ID number. I was thinking only of situations like these, there's no reason to threaten a company if they're the only ones at risk. |
|
|
The process works reasonably well even if the vendor is not cooperative. In that case it is somewhat similar to the message proposed above, but substantially different - first, the threat is not that you'll destroy or publish their data (which is extortion) but that you'll publish your description of the vulnerability (which generally is not); second, the threat is not that you might consider damaging the data (i.e. stating that you'd be willing to do an immoral thing) instead that some other immoral people might damage the data; and third, the disclosure is not conditional on receiving money from them.
I can see that the proposed threat was meant in the same direction, and is somewhat similar to the "threat" implied in general responsible disclosure, i.e., if you don't fix it in 45 days then we'll publish info that most likely will mean that you'll get hacked. But it's substantially different, the details are quite important, and you'd need a good reason to deviate from the standard responsible disclosure guidelines.
I mean, what do you do when after sending a message "I have hacked your system, accessed <this information> and modified <that bit of data>, using <this procedure>. You have <this time> to send <this much> Bitcoins to <this wallet>, or I <copy or trash> your database. Thank you for your attention." you see that they have not fixed the issue but have transferred the requested Bitcoins? It'd be a possible direct result of your actions. Is that a desirable outcome? Is that an ethical outcome?