The article says the prosecutor's recommending an 8-year jail term, but since the court hasn't decided on the case — how did the hacker "get" a jail term?
Is the article wrong, or is the Hungarian legal system different from what I'm used to?
I think the threat of prosecution in this case is already some form of damage. Even if he is ultimately not convicted, future whitehats will think twice about coming forward because this one was _threathned_ with prosecution, thinking "what if I don't get so lucky?"
The smart thing to do, if a company has no public vulnerability bounty program, is to sell the information on the blackmarket instead. This will incentivize all companies to start their bounty program, whilst still getting some cash reward.
I don't know about the "sell the information on the blackmarket" part. But uninvited pen-testing seems pretty risky. Maybe it'd be prudent to have an ~anonymous pseudonym for this stuff.
And if you really care about reputation building, you could use an ~anonymous pseudonym plus the sha256 or sha512 hash of some string. If it all works out, you just share the string, and reap the credit.
I agree. No need to get way too unethical to make a buck.... Ask for Monero or something if they want the full disclosure before you publicly and anonymously do a full disclosure.
It might incentivize the companies to change, but it might not. Especially if you end up selling it to an entity who uses Meanwhile you are doing real damage.
Why not publish the leak online to force the company to fix it asap?
Cyware is a garbage site that copies articles from actual news outlets. If you read coverage on other sites, they all say he faces up to 8 years in jail. He's been barely charged.
The article says the prosecutor's recommending an 8-year jail term, but since the court hasn't decided on the case — how did the hacker "get" a jail term?
Is the article wrong, or is the Hungarian legal system different from what I'm used to?