Good luck fighting about CF's morality HN. But the root-cause here is lack of legislature explicitly defining rights and obligations of security researchers and the vulnerability reporting process.
As it stands, you can get raided for vuln reporting (doesn't happen a lot because if common sense not law), harrassed, face retaliation and have the vendor silently fix it without crediting you.
For some reason everyone thinks this is a matter to be legislated and resolved by poularity contests (don't use vendor X) and/or capitalism. Which is interestingly why the FTC is even involved I guess?
In an ideal society you wouldn't need such laws and the default is liberty but in this society the only reason researchers are even being allowed to do their job is things like twitter and fears of PR nightmares (which won't work with every vendor/company ).
As it stands, you can get raided for vuln reporting (doesn't happen a lot because if common sense not law), harrassed, face retaliation and have the vendor silently fix it without crediting you.
For some reason everyone thinks this is a matter to be legislated and resolved by poularity contests (don't use vendor X) and/or capitalism. Which is interestingly why the FTC is even involved I guess?
In an ideal society you wouldn't need such laws and the default is liberty but in this society the only reason researchers are even being allowed to do their job is things like twitter and fears of PR nightmares (which won't work with every vendor/company ).