If you seek out bugs in a company's code with the expectation that you'll be rewarded for it, and then the company fails to reward you, I can see that it might be perceived as unfair, especially if the company indicated that such an expectation was reasonable.
If you happen across a bug in a company's code, and then publicize it because they aren't going to pay you money for it, that seems a little more like "blackmail." People really shouldn't orient their moral systems around money.
A. Homakov could do nothing. This leaves Twitter in the same state that it is now, but it if everybody did this, it is likely that nefarious people would find and exploit bugs in Twitter
B. Homakov could donate his time, as a skilled and highly-trained professional consultant, to a $32bn publicly-traded company
C. Homakov could practice full disclosure
This isn't even close to blackmail. This is a security consultant publishing a vulnerability that he discovered on his own time, that apparently Twitter's internal security team missed. That might be embarrassing for Twitter, but tha'ts hardly homakov's problem as a third party.
Perhaps "blackmail" was too harsh a word. A better analog might be discovering a business left their back door unlocked. Do you announce it to the entire neighborhood because the business doesn't give out "security prizes," or do you attempt to notify the employees? That seems like the point of responsible disclosure.
As far as full disclosure being acceptable, there are a lot of advocates. For example Bruce Schneier, Leonard Rose, and others. Not to mention that this issue isn't in a high impact category like remote code execution, loss of data, privacy, etc. It's also difficult to exploit; it requires authorizing a malicious app. So for all those reasons separately, and certainly all of them together, I think full disclosure is a completely acceptable choice.
Given that it is acceptable, is it still acceptable to do it if it furthers our own interests? Again, I think the answer is yes. The fact it is in my interest does not make an acceptable action into an unacceptable one.
You seem to be hung up on the fact that the researcher here was not particularly nice to Twitter. But people are under no obligation to be nice. It would be nice if you sent me a check for $200. But you won't, because there's no obligation to do that. And you and I--two strangers arguing with each other on the Internet--have a much stronger relationship than this researcher has with Twitter.
Are people going to get killed or lose a lot of cash by knowing how to send unsolicited private messages on twitter?
Like most analogies; it shows your bias rather than some enlightenment on the subject.
D. He could have sold the discovery to someone who'll pay him for it, then have them go on to abuse it to send DM spam to twitter users.
I have no doubt at all that homakov could have sold his discovery for at least as many dollars as any of the well known bug bounties would have rewarded him - if his motivations were purely mercenary…
This is probably the best option, but only if you approach it the same way most contractors do when offering a discount/free service for a client.
When you do free work, don't say it's free -- instead, say that you're offering a 100% discount. Sent your client an invoice for the price you'd regularly charge for such a thing, with the entire price deducted off at the bottom. Include a note saying that this is an offering of goodwill, and that you hope this will help in building a relationship with them in the future.
Leave the client to decide for themselves whether this means that your future vulnerability reports will come without this discount, and see what they say in response.
Neither do corporations, but whenever you hear anyone say "corporations shouldn't base their moral systems around money", then it's all about "free market", "profit" and "shareholder values".
I'm not saying I'd do the same in this case, but it's a bit of a stretch to assume people-people morals apply to people-corporate situations.
I'm not sure if you're trying to highlight an aspect of communal hypocrisy, but I will say that I wouldn't be one of the people shouting back stuff about "shareholder values" in response to a call for corporate social responsibility.
> it's a bit of a stretch to assume people-people morals apply to people-corporate situations
Sure, there's a bit of a power dynamic in play. But we should also remember that corporations are just huge groups of people working together for some kind of common cause. If you do something kind for a corporation (like, for example, responsibly reporting a security vulnerability instead of releasing it into the wild) then you're essentially doing something kind for the people that work there.
I'm not saying anyone needs to go out of their way to be kind to corporations... I'm just saying we shouldn't treat them like they're not "real" and don't deserve a single iota of basic respect. (Of course, if they show a lack of respect to others, that complicates the picture, but the same would hold for "people-people" morality as well.)
that is absolutely not true. A person doing a favour for a corporation will not get the result as doing a favour for an individual.
The corporation isn't a group of people - its a group of people under some control of a few. Their common cause is not the common cause of the employees, but that of those few in control. And i said 'is', because the corporation only h as one cause - to make profit, any way possible.
Do not ever place any loyalty, or sympathy for corporations. Do not expect them to behave morally, or altruistically. It will only end badly for you. Try to extract as much value out of a corporation as you can, just as they do to you.
But twitter is like saying "back off, we are huge and we don't pay researchers a cent". So let it be
Twitter obviously wouldn't drag a hacker to court. I'm saying, in general, don't do this, because other companies might. http://en.wikipedia.org/wiki/Randal_L._Schwartz#Intel_case
Lie back and think of England.
He's not US-based, so he can freely give them the finger. Good for him.
It's not paranoia. Once you start straying from the path of responsible disclosure, the path to danger is quite short.
In this case, I think you're in no real danger since it's Twitter. So don't worry. But if it were some other company, though, you wouldn't be able to rely on goodwill to protect you. And without any protections, there's nothing preventing the (extremely powerful) courts from bringing charges. It's happened before; it will happen again.
I'm not saying it's true, but it's plausible that some people in Egor's position think that way. And he seems to like his publicity, so 1+1 = 2.
