[rdtsc]

Or rather you contact them. Then they ban you and possibly send the FBI after you for "illegally accessing a remote computer system" or other such crime and then you are punished for all your work. If you tell them you will disclose your research on a certain date they'll go after you for extortion.

I wrote this before and I'll say it again. I don't believe in "White Hacker" as a label. Corporations do not do well when their vulnerabilities are exposed. They don't have a way to handle "White Hackers" unless they are the ones hiring them. Most will strike back and punch you in the face no matter how good your intentions are. So if you already spent the time researching and finding the vulnerability, just disclose on a security forum or if you want to profit, sell on a black market.

[tptacek]

If you tell them that unless they pay you or retain you as a contractor by a certain date that you'll publish, you are in fact extorting them.

People who have found vulnerabilities and also been naive about the law have run aground on this before.

[huhtenberg]

Do you have any examples?

[tptacek]

I'm worried that if I start Googling this I'll lose a couple hours of my day to a "researching vulnerability extortion" jag.

[sectek]

I don't believe it is extortion since all he is asking them to do is fix their own vulnerability. I believe extortion requires the demand of money or services in exchange for action/inaction.

[bad_user]

Isn't fixing the vulnerability a demand of services?

[tptacek]

Doubtful, or a lot of consumer demands are technically extortion. In particular, the model jury rules for extortion tend to refer specifically to property (usually money).

[ericgearhart]

I believe you mean "White Hat Hacker"... I think everyone gets the gist of what you mean but just wanted to clarify in case someone's thinking you're a racist hating on "Whitie" or something :)

[rdtsc]

Sorry, of course you are right. And it is too late to 'edit' the comment. Thanks for pointing it out.

[dclowd9901]

Are there really people in this community who don't know this?

[sciurus]

I've heard the phrase "white hat" used frequently to describe hackers. I've never heard the phrase "white hacker".

  About 526,000 results
  http://www.google.com/#hl=en&q=%22white+hat%22+hacker

  About 65,000 results
  http://www.google.com/search?hl=en&q=%22white%20hacker%22

[dclowd9901]

You know what? I totally mentally replaced the word "white hacker" with "white hat", and only realized it after you pointed it out.