[tmotwu]

You are free to disagree. Obviously, not every scenario can be navigated using an arbitrary policy for conduct, which was what clearly happened here. 'Informed consent' in the context of cybersecurity research is described in the Menlo Report [1].

And fyi, not all white hat stories are clean in their approaches, that in itself remains a controversial topic for another discussion. Furthermore, employees in an organization are under a different set of contractual obligations, full of caveats, to their employers. In some ways, they've already "consented" to specific bare minimums(white-hat can be framed as security awareness training required in your job role).

Open source contributors and reviewers are individual third party actors. No one has established any tolerance limits. So "enough" people doesn't really apply here because no one was made the arbiter source to decide that.

[1] https://www.dhs.gov/sites/default/files/publications/CSD-Men...