Vendors who pay bounties often restrict public disclosure, and the professional value obtained from being able to talk about the research you do may be worth significantly more than the payout
> Vendors who pay bounties often restrict public disclosure, and the professional value obtained from being able to talk about the research you do may be worth significantly more than the payout
Professional value that doesn't translate into money, do you mean? How do you categorise that?
I take the "professional value" to mean essentially putting it on your resume, gaining publicity by blogging about it, getting conference organizers to let you give a talk about it, etc., all of which may ultimately increase the money you can earn doing computer security.
Ethics aside, there are many thing that move people, and it's not always money. For instance, selling the vulnerability means the author wouldn't have been able to tell their story.
> I can't find a reason for doing something like that.
Money often starts out as necessity or one of it's close cousins. If I were 1) 8k miles away from my target, 2) in a region with more internet access than employment prospects and 3) needed to eat, I can see a path to profitable disclosure.
> For me, doing the right thing is beyond all these things,
This can be a luxury. After a year or 3 of kids in and out of hunger, what's right can get reframed.
> and I don't care about money beyond buying the necessities I need.
There's a difference between doing your job and earning money as a result vs. finding keys to someone's house and selling said keys to the highest bidder.
So this security researcher can keep doing his research without worrying about paying bills. The company gets cheap security audit, the researcher gets money, everybody wins
I would love to have the money (42k EUR) to buy Scewo, which is an advanced self balancing stair climbing wheelchair. Sadly enough, I doubt I will ever be able to.
Ethics aside, why not? That's why we have ethics.