[phoronixrly]

Wait, you can't really think that it's ethical and in any way a person's responsibility to expose themselves to the CFAA and lawsuits??

Ok, let's go over this again - it is naive because you naively trust the vendor not to report you to the authorities/sue. A side effect is that such companies never get to learn their lesson, thus you naively think that you contribute to overall privacy and security while the effect is opposite - the company got a freebie and won't change security stance, the CFAA gets to stay.

I would argue about the ethical part as well. One way to guarantee ethics is to immediately report to both vendor and respective government body so that any suspicion of blackmail is removed.

Another person's definition of ethical would be to immediately notify all affected users.

My personal stance is that the IT community needs to shut the fuck up until companies start begging for help and the backwards-ass CFAA gets deleted. This is ethical - you didn't get paid for a security audit, then you keep your mouth shut and offer no free work and you don't expose yourself to lawsuits.