[sneak]

I wonder if emailing them and asking for e.g. a 25k reward before disclosure exposes one to criminal liability or not.

I mean, is there a law making it illegal to sell exploits to the black market? These bug bounty programs must know they compete with a large market for these sorts of things.

[jrockway]

I think the goal of the $5000 is not to discourage criminals, but rather to encourage someone who notices an issue to write it up, produce a test case, bother to send an email to security@, and then follow up rather than just say "LOL, idiots" and move on with their life.

The $5000 is also a nice incentive to keep looking around.

[tantalor]

If you sell me the exploit, and I use it to perform a crime, then I believe you may also be charged as an accessory. IANAL.

[pestaa]

IANAL, but action with malicious intent is pretty much enough to get you behind bars.

[sneak]

Not always. For example, speaking truthful factual statements with malicious intent to harm someone's business by damaging their reputation is totally legal, provided you're not defrauding or blackmailing anyone or otherwise acting sketchy.

There're a lot of actions based on malicious intent that are (and should remain) legal.