Heaven forbid we ask of a corporation that they compensate us for a job they should have done and preventing huge losses and a PR nightmare.
Had I been OP I would have sold the exploits with no remorse, we don't need companies like that on the market, rewarding corporations for bad behaviour with free labour is fucked up on every level.
Maybe they should have a bounty program, but they don't, and they made that clear. They didn't ask anyone to perform "free labor," and I don't think they have any obligation to pay for labor they didn't ask to be performed. I don't see anything unethical in their behavior. Your beef seems more to be with the researcher who decided to perform free labor for this company.
Selling exploits to the black market does strike me as unethical, though.
>Selling exploits to the black market does strike me as unethical, though.
If I gave them away and they get exploited is it unethical? If I gave them away publicly vs privately does it make a difference? If I responsibly reported to the manufacturer a month previously?
I guess intent matters, and I'm ok with that being the line. In the end though I feel the rewards for fast production far outweigh the consequences of security bugs. My firefox updated last night and added pocket and I was reminded that I couldn't even remove the useless bloody thing.
> If I responsibly reported to the manufacturer a month previously?
I'm not an expert on responsible disclosure, and I think reasonable people can disagree on the best course of action. I think selling exploits on the black market is always unethical.
> I couldn't even remove the useless bloody thing.
I'm a photographer and freelance software developer, I know all about not doing work for free and what that does to our industries.
This isn't doing work for free, this is a hobby. The time spent by this person was not requested by Pocket and they shouldn't be maligned just because they're not paying him.
Also, "sold the exploits with no remorse" really makes you sound like a troll. So I'm feeding.
If you're that worried about compensation, the correct answer is to determine up front whether there's a bounty program, and if not, move on. Not to do work you had every reason to believe would not be compensated, then complain when it isn't compensated.
You can ask them for a bounty program in the future, but you don't really have a right to get upset when they don't honor a bounty that was never promised. It's like demanding a reward for returning a dropped wallet.
Okay, so forget the word felony. "You would have aided/abetted a malicious criminal and profited monetarily by doing so?" My point is that selling an exploit doesn't become morally okay just because the company doesn't offer a bounty.
You say it's subjective and then the reason you give is that some people would, knowing that it's criminal, still commit a crime.
It looks like their view of the activity isn't that it's fine to do, rather that they don't care that it's not fine. This implies that they know and accept that it's not fine.
Heaven forbid, people submit security issues because they want to be helpful or care about the project.