[drewcrawford]

Well given that homakov has found this bug, there are a few possibilities:

A. Homakov could do nothing. This leaves Twitter in the same state that it is now, but it if everybody did this, it is likely that nefarious people would find and exploit bugs in Twitter

B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company

C. Homakov could practice full disclosure

This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but tha'ts hardly homakov's problem as a third party.

[md224]

> This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but that's hardly homakov's problem as a third party.

Perhaps "blackmail" was too harsh a word. A better analog might be discovering a business left their back door unlocked. Do you announce it to the entire neighborhood because the business doesn't give out "security prizes," or do you attempt to notify the employees? That seems like the point of responsible disclosure.

[drewcrawford]

Well I think we are blurring two different issues here. The first question is whether or not full disclosure is acceptable. The second question is whether or not it is acceptable to choose it because one is not being paid.

As far as full disclosure being acceptable, there are a lot of advocates. For example Bruce Schneier, Leonard Rose, and others. Not to mention that this issue isn't in a high impact category like remote code execution, loss of data, privacy, etc. It's also difficult to exploit; it requires authorizing a malicious app. So for all those reasons separately, and certainly all of them together, I think full disclosure is a completely acceptable choice.

Given that it is acceptable, is it still acceptable to do it if it furthers our own interests? Again, I think the answer is yes. The fact it is in my interest does not make an acceptable action into an unacceptable one.

You seem to be hung up on the fact that the researcher here was not particularly nice to Twitter. But people are under no obligation to be nice. It would be nice if you sent me a check for $200. But you won't, because there's no obligation to do that. And you and I--two strangers arguing with each other on the Internet--have a much stronger relationship than this researcher has with Twitter.

[jkrems]

Your analogy is missing the public interest: the business is the postal office or similar and has all the neighbors mail laying around. Does not affect your point though (still not okay to just announce it to the neighborhood).

[ivanca]

Do you become a little more recognized by your peers by publishing that the door is open to your neighborhood?

Are people going to get killed or lose a lot of cash by knowing how to send unsolicited private messages on twitter?

Like most analogies; it shows your bias rather than some enlightenment on the subject.

[bigiain]

And:

D. He could have sold the discovery to someone who'll pay him for it, then have them go on to abuse it to send DM spam to twitter users.

I have no doubt at all that homakov could have sold his discovery for at least as many dollars as any of the well known bug bounties would have rewarded him - if his motivations were purely mercenary…

[derefr]

> B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company

This is probably the best option, but only if you approach it the same way most contractors do when offering a discount/free service for a client.

When you do free work, don't say it's free -- instead, say that you're offering a 100% discount. Sent your client an invoice for the price you'd regularly charge for such a thing, with the entire price deducted off at the bottom. Include a note saying that this is an offering of goodwill, and that you hope this will help in building a relationship with them in the future.

Leave the client to decide for themselves whether this means that your future vulnerability reports will come without this discount, and see what they say in response.

[yohanatan]

You're missing a key difference. Twitter didn't commission the work performed here. Sending an invoice for work that wasn't requested is not only dumb, it's offensive.

[hnriot]

what a dumb idea! I can't even tell if you're being serious.

[homakov]

Never tried it but obviously it wont work. It is easier to start with actions than with dialog here.