[zdimension]

At the same time, Cox is a commercial entity that makes money by providing services. Cyberattacks make them lose money, so it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

We're not talking about a grandma losing her wallet with 50 bucks in it and not giving money to the guy that found it and gave her back.

[unclebucknasty]

>it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

Yes, Cox has that choice. But, what you're describing is the definition of extortion. The fact that it's easy for people to get away with it does not make it ethical.

[bongodongobob]

It's not the definition of extortion. If I walk past a business and notice the locks on their windows are rusted and I happen to be a lock guy and say hey, I noticed your locks are fucked, I'd be happy to consult for you and show you how and why they are broken, that's just doing business. Extortion is telling them, hey, your locks are fucked and I'm telling everyone unless you pay me. It requires a threat.

[unclebucknasty]

You just manufactured a completely different scenario.

The comment I responded to was this:

>it's only fair for them to financially award people that responsibly inform them of vulnerabilities instead of easily and anonymously selling those.

That comment includes the threat ("instead of easily and anonymously selling those").

So, yes. That is the definition of extortion.

[bongodongobob]

I think preventing people from having that incentive vs an actual threat are not the same, which is how I read the hypothetical.

[unclebucknasty]

>I think preventing people from having that incentive vs an actual threat are not the same, which is how I read the hypothetical.

The following two sentences read the same to me:

"To remove my incentive to harm you, you should pay me".

"To remove my incentive to share information with others who may harm you, you should pay me".

And, the threat is pretty clear IMO.

[bongodongobob]

Do you not lock your doors because you feel you shouldn't have to worry about people stealing your stuff because it's morally wrong to steal or do you do it to mitigate risk? Suggesting someone should mitigate potential risk is all we are talking about.

[worewood]

Great response, entirely agree.

[pixl97]

At the end of the day your enemy has no ethics, and we share the public internet with enemies. If paying to find security flaws means it's more likely people will find your flaws rather than sell them to someone that will use them for nefarious means then it is the better bet.

[unclebucknasty]

Making an argument for what's practical and what's ethical are two different things. My comment was about the latter. Yours appears to be about the former.

Ransomware victims have sometimes found it practical to pay the ransom. They're still victims of extortion.