[threatofrain]

This ought not be considered anything close to common courtesy. This is work. Mullvad is engaged in the business of making money. They should show how serious they are with your money.

Since when do you have professionals giving you examinations out of common courtesy? Out of courtesy can I get a free cancer screening?

[SauntSolaire]

If I doctor performed a cancer screening on me, for free and without me asking, then yes — as a matter of courtesy I would still expect that doctor to tell me if he found cancer, rather than reading about it on his blog later.

[spotplay]

You are a person and they are a company. Please make sure to differentiate the two entity types when drawing parallels.

[catlikesshrimp]

That is legally allowed as part of studies, to which a patient must agree after being proposed. Otherwise, it is illegal.

[alt227]

> If I doctor performed a cancer screening on me, for free and without me asking

But that would never happen, so the point is moot.

[graemep]

I have known doctors and lawyers and many others to do work pro-bono

[alt227]

Without the patient or client asking?

[sorcix]

Well, yes. People have been diagnosed with skin cancer when a doctor saw a picture of them in an article and reached out to them.

[WarmWash]

>Since when do you have professionals giving you examinations out of common courtesy?

Maybe when they decide on their own volition, without any external pressure, to go and poke around your system?

"Hey, I'm a mechanic, I was looking at your car parked out there and noticed something incredibly dangerous that needs immediate fixing. I'll tell you what it is for $1,000."

Please...

[streetfighter64]

Even better, the mechanic writes a blog post about the dangers of non-functioning brakes, but doesn't tell the car owner, because they didn't have a sign advertising their "car issue bounty program".

Seems to be a systemic issue with computer guys feeling entitled to financial compensation for strange reasons. See also, people licensing their software as "open source" and then being mad when people make money off it.

[stavros]

Even better, the mechanic writes a blog post about how the locks on that guy's car don't work, and how anyone could just steal it, but doesn't tell the guy because, after all, the guy wasn't paying him to.

[ignoramous]

Both of y'all confusing individual with corporate.

  The mechanic writes a blog post about how the locks on [a car model] don't work, and how anyone could just steal [cars], but doesn't tell the [car company] because, after all, the [company] wasn't paying him to.

Especially, when the car company spends on 'certifications' (security audits, in this case) and specifically markets it as a differentiator. That said, uncoordinated public disclosures in cybersecurity are bad form, given the well-established existing norms & culture; but at least, let's get analogies right.

[streetfighter64]

Obviously there are a hundred variables that differ between the analogy and the actual situation. You changed one that felt important to you (individual/corporation) but there are still 99 that differ. That's what makes it an analogy instead of just being a retelling of the actual situation.

But yes, if you found a general fault in the locks of a certain car model and publicized it without first informing the company and giving them a fair chance to inform the affected customers, people would probably be annoyed with you. Individuals even, not just companies.

"You chose that car that advertises good locks. Guess what, the locks are actually bad and now I'm gonna publish exactly how, to teach the manufacturer a lesson about paying me money".