So normally he's a white hat that gets paid for bounties, but once he misses a single reply he dumps everything to the public? This barely earns him anything and puts government workers in unnecessary risk.
> once he misses a single reply he dumps everything to the public
Also known as "black hat", aka criminal.
Seems this is just all mundane info about ordinary people, no scandals, no war crimes, no improprieties. He's massively violated their privacy and subjected them to identity theft. Hope justice finds this bad dude.
They had the daemon running as root and I could read everything on the box.
Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.
About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.
I think they thought I downloaded source code ...
The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.
Agreed. CFAA makes these kind of disclosures stupid-risky in USA. If the company has a bug bounty program then MAYBE disclose. You only stand to lose by trying to be a good samaritan otherwise.
Also known as "black hat", aka criminal.
Seems this is just all mundane info about ordinary people, no scandals, no war crimes, no improprieties. He's massively violated their privacy and subjected them to identity theft. Hope justice finds this bad dude.