So they put the cops on him after seeing the potential issues he’d so nicely informed them about, instead of sending him a nice fruitcake and thank you card.
Yeah, I got that, and as I mentioned before, the young man is not affiliated with that company in any way and therefore he owes them nothing in terms of how much he had to try to communicate said bug to them–that’s their issue entirely and he was essentially performing work they should have done in the first place. If anything, they should have sent him a check for his time invested in finding the bug and notifying them. So the threshold of communication is a nonstarter in my opinion–it’s their shit and their shit to fix. He gets the nice kid award for the day.
Hell, for that matter, the VTD’s lack of responsible software engineering (or responsible testing) moots any responsible disclosure needs of the young man in question.
This.
