[ggggtez]

"Normally" is a strong word, when it seems pretty clear his "bounties" are more like blackmail payments.

White hat hackers release bugs to get them fixed. This is clearly just a case of extortion. You release a bug, you don't steal documents yourself.

[DyslexicAtheist]

> ... are more like blackmail payments.

nothing in this article concludes that he asked for payment.

[Waterluvian]

Done properly you'd discover that you could copy sensitive files. You don't actually copy them.

[burtonator2011]

I kind of got in a shit storm with Sun Microsystems back in the day about this...

One of their servlets had a query parameter like

/servlet/com.sun.projectname.SuperCrazyServlet?url=some_url_encoded_param

and I found out that it accepted file:// URLs.

They had the daemon running as root and I could read everything on the box.

Anyway. I sent them an email to webmaster and to a few PMs I new but heard nothing back.

About a week later I got a REALLY nasty legal as apparently they thought my email was an attempt to extort them and not just a nice guy trying to point out the problem.

I think they thought I downloaded source code ...

The PMs I emailed had to step in and vouch for me but I think that without their help I would have ended up with a really shitty lawsuit.

[wolco]

Never disclose things like that. It does nothing positive for you. You could endup in legal hell.

If you really want it fixed post to pastebin and the traffic will bring attention to it. But it's better to just ignore and move on.

[lobotryas]

Agreed. CFAA makes these kind of disclosures stupid-risky in USA. If the company has a bug bounty program then MAYBE disclose. You only stand to lose by trying to be a good samaritan otherwise.