[tcook_sucks_xie]

Eh it's worth looking into, it's not a stretch to think that someone could find a bug without trying to conceal themselves.. then return later from a more anonymous client to exploit the bug further

it's not proof of guilt but a reasonable trail to follow up on

[rhizome]

I think it is a stretch. What basis would someone use, who knew enough to disclose immediately, to bet their freedom that it was being exploited by others such that they could exploit it without their initial disclosure providing probable cause that he was the exploiter? I can't even think of a movie where that happens, probably because it's impossible to create a suspension of disbelief with the plotline.

[tluyben2]

> think of a movie where that happens, probably because it's impossible

Always reminds me of a CSI (original series) interview with the actor who played Grissom; the writers contacted the police and forensics labs for story ideas but the real life events were so insane that they would feel too fabricated for television.

People are generally greedy and often dumb; maybe they found an open house door, put a little note in the mailbox, slept on it and thought maybe they could get away with a further peek inside if no one closed the door yet (which makes the perpetrator think they didn’t read the note yet)?

[judge2020]

On one hand, someone working infosec might also have access to a spare computer running tails, which they use to sell the exploit to a third party exploit customer, but only after reporting the exploit to the victim company to cover their tracks regarding liability for things like those IP logs. On the other hand, it's not uncommon for a vulnerability to be detected multiple times by different unrelated people, especially if that vulnerability makes itself know via semi-regular use of the product/service.

[treis]

Aren't you just proving their point?

[Aachen]

Following up on doesn't necessarily mean suing. But that's the part I can somewhat understand, yes. What's more unreasonable is OP's employer in my opinion.

[zozbot234]

OP's employer would likely want to avoid looking complicit in hacking a direct competitor to their line of business. What they did does not look overly unreasonable from that POV, the problem is OP put them in a pretty bad position. It's not just about being factually right either, appearances can matter too.

[Brian_K_White]

OP, absolutely, did not, put their employer into any kind of situation. Thanks for F-ing helping.