[Soyuz]

I'm not sure why people inform organizations about vulnerabilities. All what they will get from informing them is to get shock when they slap you on the face and call the police for the alleged hack!

it is better to sell the vulnerability in the underground forums

[XorNot]

No it is better to do absolutely nothing, and quietly divest yourself from them because that's not illegal.

But what we really need are some damn whistleblower protections for cybersecurity - buzz-wordy enough for government funding and command centers, but no actual help for the people who want to help because it feels like the right thing to do.

[gilgoomesh]

There are protections for cybersecurity here. From the article:

> HIPAA explicitly forbids LSU from retaliating against me for reporting a HIPAA violation, so I filed a federal complaint against them for their illegal retaliation.

[cnlwsu]

Consider it a ethics thing. Willing to take the risk to protect those innocent people's data or sell a grandma's SSN to the highest bidder. I think identity theft takes a certain amount of self centeredness and lack of empathy that I could never deal with. The option to do nothing is a strong one as well. I would say its best to report it but do it anonymously.