I wouldn't be flogging this if there was higher list volume (or I had a life) but, WTF, there's not (and I don't). Jason wrote: > ... > If he stated outright conditions, such as pay up or I go full > disclosure, and if you do pay up, no one will ever hear about it, > that, at least to me, is a pretty clearly stated criminal intent. Agreed. If that were the case he probably would have been charged with extortion. According to the last info I read (AZ Republic article) he hasn't been charged with any crime. My take is that he's stunned and pissed that they didn't shower him with praise and money. I think he's guilty of being naive and amateurish. Kidz read stories from the days of yore, when tech companies hired people who hacked into them. Unfortunately, the net these days is chock full of soulless banker-type mofos who are there 'cause that's where the easy, low-overhead bucks are, IMHO, of course. A fairly safe move would have been to tell them about the problem as a concerned customer. He could have added: "I'm looking for a job, Could your IT staff use someone to review security issues?". If hell coincidentally froze over at that instant they might have asked him to submit a resume. The _safe_ move is to call as a howling, clueless luser and yell "How come I see somebody elses stuff instead of mine on the computer thing? Can they see what I put in? Huh? I'm gonna call the Newschannel Computer Expert Guy!". He might have at least got a free hotel stay out of it :-) I've been following the PEN-TEST list at securityfocus.com. It has a good number of participants who do penetration testing for a living. The concensus is that if you point out security holes and offer to fix them for a fee you'll find yourself under investigation. You don't sniff at anything until you've got a "get out of jail free card" that your lawyers have blessed, or you're like a kid with a bag full of rocks offering to sell homeowners window insurance. > Because the principles of full disclosure are FULL DISCLOSURE. It > doesnt work unless its full disclosure - and a promise to be silent > after the bug was fixed shortchanges the security community. It's no crime to advocate security by obscurity, it's just lame. There are plenty of people besides MS who are _really_ unhappy with full disclosure. Marcus Rainum of NFR is one particularly curious example; it got him to where he is, and now he'd like to slam the door behind him. Charming. > Furthermore, there is no security reason to not give full disclosure > after the bug is fixed... if he had any intention of telling anyone > other than their IT department, he should have done so regardless of > payment. I'd argue that there's no value to security folks in reporting that you'd found yet another site with clueless web coders, but they've fixed it now. It's not like he discovered a buffer overflow in the http daemon. > The *only* consideration ethically allowable is giving time > for the problem to be corrected. It is unethical to aid in covering > the problem up, and in fact would result in stockholders having a > false sense of security about the company itself, had the problem been > covered up. *Bzzt*, I disagree again :-) If the internal IT staff found and corrected the problem, it's not unethical. It could be, if they didn't make a concerted effort to determine if someone's data may have been compromised and contact (at least) those customers. For example, the logs show the same IP address making requests using dozens of ID tokens, only a few of which worked, that'd raise a flag. Even _I'm_ sick of this now, L8r Steve -- Never attribute to malice that which can adequately be explained by stupidity