Wednesday, September 9, 2015

Shoulda Checked On That Beforehand

from here

I kinda feel like it should be some sort of fail to spend the time and energy finding up to 30 vulnerabilities in products from a vendor who isn't prepared to pay for them.

It almost sounds like extortion to demand money from them, but rather than paying for the extortionist's silence, this 'extortionist' is doing things backwards and staying silent until he gets paid. Isn't silence precisely what a bad vendor would want? Is someone doing extortion wrong?