[aeternum]

This was likely a net benefit to US citizens. Much better that this kid exposed these security holes. Imagine how bad it would be if a nation state did this close to the election.

Spearphishing is a real problem and tech companies have no answer. An annual employee training program isn't going to solve the problem. Simply making it illegal isn't going to solve the problem.

[SahAssar]

> Much better that this kid exposed these security holes.

That's why we have responsible disclosure. It does not make it okay to exploit security holes for profit.

> Spearphishing is a real problem and tech companies have no answer.

That does not make it okay to exploit it.

[aeternum]

>That's why we have responsible disclosure. It does not make it okay to exploit security holes for profit.

I'm not aware of any bug-bounty or responsible disclosure method that allows spear-phishing as the attack requires impersonation/fraud. Is there one?

[SahAssar]

Responsible disclosure does not equal bug bounty. Just because you found a security hole does not mean you are entitled to a payout.

The responsible way to do this would be to prove the access to twitters security team and not exploit it for personal gain. You can even just post it publicly, just don't try to scam people and profit based on the exploit.

Do you think that just because there isn't a bug bounty for a specific exploit that gives you a free pass to exploit it for personal gain?