[lstodd]

I.. just can't wrap my head around that.

Once the notification is in and the shell demostrating it is up it should be immediate redeploy to a clean state, fix the hole, redeploy to a patched state.

The shell disappears on step one.

Instead some moron has the audacity to get all hurt because the broken system he is responsible for has not been patched back by the attackers?

What is this lunacy?

[rcxdude]

It's at the minimum a bit impolite to leave the system more vulnerable in between sending the report and the report being received and acted on.

[lstodd]

It didn't become any more vulnerable.

This is security, you have to have procedures for when you get owned; the bug bounty program is orthogonal to that.

If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

[Dylan16807]

> It didn't become any more vulnerable.

That depends on how secret the URL was. If you go from needing an exploit to just visiting a guessable link, that's significantly more vulnerable.

> If they wiped prod db and put up goatse on my site I would have still paid and said thank you provided I was told how that was done.

Well most people wouldn't, and for good reason.