[gethly]

> Specifically, in multiple communications with MLB employees, STREIT claimed that he knew MLB reporters who were ‘interested in the story,’ and stated that it would be bad if the vulnerability were exposed and MLB was embarrassed.

Oh man, such a stupid thing to do. This turned a $150k bounty into extortion.

[jimmydorry]

> Streit indicated his work was worth $150K but was also informed there was no ‘bug bounty’ program at the baseball league.

Sounds like a bug that would have been better off anonymously leaked for the other IPTV providers to pick up, after said bug was valued at 0 in greyhat dollars.

[joshmn]

The bug couldn't have had less to do with streaming, and in the wrong hands would have been worth a significant amount of money—exponentially more than what the Shopify CVE calculator spit out and I replied with at the time. There's more here: https://prison.josh.mn/charges

There's a lot of nuance, and what was ultimately reported about the bug isn't how things played out—there's tons of context missing. I won't talk more of the bug, or the handling of situation. I realize it was the leading headline (more so than the "guy had streaming website") but it was, in my opinion, also the most far-fetched.

[gethly]

That is not what it says. They only said they had no bounty program to attract people to try and find bugs. That does not mean companies are not willing to compensate you if you find and report a bug in their system. I think 150k was well worth it, but the guy just worded it in the worst possible way.