[aneth]

I think you're supposed to exploit the vulnerability in relatively innocuous but deeply disturbing ways, get banned, then complain about how you only meant well, then be lauded on Hacker News as a martyr who should have been embraced by the hacked company.

[rdtsc]

Or rather you contact them. Then they ban you and possibly send the FBI after you for "illegally accessing a remote computer system" or other such crime and then you are punished for all your work. If you tell them you will disclose your research on a certain date they'll go after you for extortion.

I wrote this before and I'll say it again. I don't believe in "White Hacker" as a label. Corporations do not do well when their vulnerabilities are exposed. They don't have a way to handle "White Hackers" unless they are the ones hiring them. Most will strike back and punch you in the face no matter how good your intentions are. So if you already spent the time researching and finding the vulnerability, just disclose on a security forum or if you want to profit, sell on a black market.

[tptacek]

If you tell them that unless they pay you or retain you as a contractor by a certain date that you'll publish, you are in fact extorting them.

People who have found vulnerabilities and also been naive about the law have run aground on this before.

[huhtenberg]

Do you have any examples?

[tptacek]

I'm worried that if I start Googling this I'll lose a couple hours of my day to a "researching vulnerability extortion" jag.

[sectek]

I don't believe it is extortion since all he is asking them to do is fix their own vulnerability. I believe extortion requires the demand of money or services in exchange for action/inaction.

[bad_user]

Isn't fixing the vulnerability a demand of services?

[tptacek]

Doubtful, or a lot of consumer demands are technically extortion. In particular, the model jury rules for extortion tend to refer specifically to property (usually money).

[ericgearhart]

I believe you mean "White Hat Hacker"... I think everyone gets the gist of what you mean but just wanted to clarify in case someone's thinking you're a racist hating on "Whitie" or something :)

[rdtsc]

Sorry, of course you are right. And it is too late to 'edit' the comment. Thanks for pointing it out.

[dclowd9901]

Are there really people in this community who don't know this?

[sciurus]

I've heard the phrase "white hat" used frequently to describe hackers. I've never heard the phrase "white hacker".

  About 526,000 results
  http://www.google.com/#hl=en&q=%22white+hat%22+hacker

  About 65,000 results
  http://www.google.com/search?hl=en&q=%22white%20hacker%22

[dclowd9901]

You know what? I totally mentally replaced the word "white hacker" with "white hat", and only realized it after you pointed it out.

[excerionsforte]

I prefer the homakovs of the world rather than the Anons (they would take full advantage) of the world. To have one vulnerability that could lead to another is undesirable. Homakov's actions could be considered aggressive, but sometimes that's exactly what is needed in order to push something. (no pun intended)

[tptacek]

The world does not divide into those two kinds of people.

[excerionsforte]

Who said it did? I surely did not and did not imply that at all. I simply expressed my preference of the interests of two kinds of people.

[thwest]

We can still agree homakov doesn't deserve this kind of lingering resentment on behalf of the OP.

[tptacek]

I don't agree that there is resentment. That comment seemed to choose its words carefully to avoid judging.

But ideally this isn't going to be a subject you & I are going to end up having to argue about today.