(Note: this post represents my own opinions, not anyone else's)
No, but they normally report the vulnerabilities they find.
I participate in a lot of responsible disclosure programs (Google, Facebook, Mozilla, Dropbox, Twitter, Etsy, etc). All of those programs dictate that you report the security vulnerabilities you find, and that you not abuse them.
What was described in the blog post sounds a lot like real security audits that I've seen done. However, the difference is that those audits are done by professional security researchers who have been hired by the company for that purpose. If you're an outside security researcher you have to abide by a very different set of standards. Common sense would argue those standards include abiding by the company's responsible disclosure policy.
No, but they normally report the vulnerabilities they find.
I participate in a lot of responsible disclosure programs (Google, Facebook, Mozilla, Dropbox, Twitter, Etsy, etc). All of those programs dictate that you report the security vulnerabilities you find, and that you not abuse them.
What was described in the blog post sounds a lot like real security audits that I've seen done. However, the difference is that those audits are done by professional security researchers who have been hired by the company for that purpose. If you're an outside security researcher you have to abide by a very different set of standards. Common sense would argue those standards include abiding by the company's responsible disclosure policy.