[larrys]

As someone who studies human nature I'd like to ask this question of the OP and anyone else who cares to answer. I'd seriously like to know this.

Why do people spend extensive time [1] documenting security flaws like this [2] and going to the trouble of informing the company. And then if that doesn't work take more time to write up a blog post to get the info out?

What do they gain by doing so exactly? Is this a play for internet notoriety? Or a way to gain attention that results in future fame that leads to something later?

Or, is it as simple as it just makes them feel good (like "hey why do you play poker") or is it they believe they are making the world a better place?

[1] Because this took considerable time.

[2] Yes I know the OP indicates he is a "Information Security Enthusiast".

[georgemcbay]

There's no one-size-fits-all answer to your question just as there isn't to questions like why someone wants to be a programmer, or a startup founder. The micro-motivations of individuals doing this sort of work can be all over the map from person to person.

But as someone who very occasionally does such things (but isn't looking to "make a name" for myself as a security researcher, which is often a motivation):

1) The initial motivation isn't so much about documenting security flaws, but finding them in the first place. It is a very hands-on immediate-results-oriented type of problem solving where you look at a system that is intended (or should be intended, based on what it is doing) to be secure and find ways in which the security is lacking.

2) From there, informing the company is just about being a decent net citizen. If you can work around their security from the outside, other (potentially more nefarious) people can too, and in most cases the company simply doesn't realize they have a security problem, so informing them is good for everyone.

3) From there, if they refuse to fix the problem and it is very legitimately a security issue, responsible full disclosure (with a solid window of not talking about the bug publically, I go with Google's 60-day window as a guideline) is about being a decent net citizen toward the product's users (if not the product's company). If they have gaping security flaws in their product that they won't fix, users who could and likely will get screwed by them deserve to know so they can make an informed decision as to whether the company they are using is adequately protecting their interests.

But as I said, everyone is different, for some people they are mostly resume building a collection of public CVEs on their way to a security research position, for me it is just a fun very occasional hobby and I've not publicly disclosed a gaping security flaw since the mid-1990s because most companies will do the right thing in fixing real security issues if poked a bit these days.

[larrys]

"informing the company is just about being a decent net citizen."

With respect to this would you say that there is a bit of a buzz when the company acknowledges and pats you on that back and says "hey thanks good job" (like your elementary school teacher?).

So taking this one step further I would say if that is the case then it becomes a big motivating factor, especially if the reinforcement is intermittent. Because you are searching for the next hit of approval.

Agree? Or?

[alirazaq]

He's just upset there was no reward given to him and is blowing this thing out of proportion.

[vqc]

Demonstrates expertise in a particular domain. It's a good exercise to improve one's skills and a good opportunity to provide evidence of one's skills. No one knows what you're good at unless you tell them.