[kermorvan]

Reading your post makes me wonder why bug-hunters aren't more cautious about this. Sure the sentiment is good, it is a moral obligation to expose a bug that could be harmful to users.

But if you suspect you could get burned for pointing it out, you can take steps to mitigate it. Anonymity for example. Then again if you are in it for the fame and recognition, getting burned is a risk you are taking out of vanity.

[MereInterest]

Because most of the time, the thought doesn't even occur to someone that it could be an issue. Here you are, going along, and suddenly you find information that shouldn't be public. So, you send a quick email. After all, it was probably an oversight, and it only takes a minute of your time to inform somebody.

[lambda]

Because most people aren't in it for "fame and recognition" or "vanity"?

If I find a bug in a piece of software, or something misconfigured, I tend to report it and move on. I don't try to hide my identity before reporting it. A security vulnerability is just a bug or misconfiguration, that happens to be exploitable for nefarious purposes. The responsible thing to do is to notify those responsible, and anonymity doesn't help with that; they may need to follow up to ask questions to find out more details about it.

While there are some people in the security community who are prima donnas, who try to hype them selves and their exploits to gain recognition, this case does not appear to have anything to do with that. This is someone who sent a private email to those responsible, and then started seeing articles online and getting complaints emailed to his college about irresponsible hacking of other institutions websites in front of students.

[mrich]

The guy was helping others. He should not have to take extra steps to be safe while doing it.