[alt227]

If you are talking about some open source project then I would fully agree.

But when it comes to money making corporations then personally I dont agree that revealing flaws in their product comes into ethics at all.

A companies paid product is flawed, their own paid engineers didnt figure that out, why should I do it for free becasue 'ethics'?

This is the entire reason bug bounty programs exist in the first place.

[fn-mote]

You seem to have a very bright line between the acceptable behavior for “no money involved” and “money involved”.

For me, it’s more subtle than that.

Everybody (“almost all software”) has exploitable bugs. Are you a fool for not finding the ones in yours? Maybe. Sometimes.

There is a huge difference between Project Zero finding a trivial vulnerability almost identical to one reported months earlier (close to negligence) and Mullvad having the CEO personally posting a response here in a very calm tone.

[alt227]

> Are you a fool for not finding the ones in yours?

If I have a company which sells a paid product, and my paid engineers do not find bugs then I absolutely do not expect the public to willfully and freely make my product better for me. This is why I would have a bug bounty program as an incentive for the public to help me makle my product better and more secure, like any other company serious about finding security bugs.

If I didnt have a bug bounty program and found out that some black hats were selling backdoors to my system online, I would consider that fully my fault for not incentivizing those hackers against doing so.