|
|
|
|
|
|
by Daho0n
1924 days ago
|
|
|
"The law" doesn't sue anyone so the company is the one that "doesn't care". The law (if in a functional system) doesn't follow the letter of the law but the spirit of the law. Otherwise we wouldn't need a court but just a clerk or a low-level AI. There're only three categories IMO (besides black hat): 1) The researcher disclose a vulnerability the proper way and all's good 2) The "researcher" did something that could cause harm and were punished 3) The system is utterly broken I have seen all happen and the ones people are up in arms about have always been in category 2 or 3. Your last sentence about blackmail is in category 2 as demanding money for a proper disclosure from someone without a bug bounty program is the definition of blackmail. |
|
|
"Whoever, under a threat of informing, or as a consideration for not informing, against any violation of any law of the United States, demands or receives any money or other valuable thing, shall be fined under this title or imprisoned not more than one year, or both."