In this case, the researcher cared because they wanted the bug fixed. Posting the vulnerability publicly risks having it be exploited maliciously, but it also maximizes the likelihood that the bug will actually get fixed, because it's hard to ignore a public vulnerability in your service.
If you don't care about your reputation, you post anonymously. An anonymous full disclosure post is a good way to report a bug without dealing with drama about your "incentives".
I sat on this disclosure for ten years because family told me FBI would go after me. Good advice or bad advice, that was ten years of my life that could have been better spent.
One time I found a photo printing website made all photos public. They refused to fix, I fully disclosed, it made front page Slashdot. Then the company had to change its name. Maybe it was fun or maybe I get credit but most importantly it gets something from my TODO list to my DONE list. This is very important to me.
I have a 0-day on Apple, not very exciting. I reported in 2015 and they still did not fix. Having this in my inbox is a waste of my time thinking about it. I will FD it.
My experience is that security researchers do not make money unless you run script kiddy programs for stupid bounty programs. When I interviewed for a "security" job all they would ask me about is Microsoft certifications and user access testing. I asked if a TLA offer letter counted as sufficient reference and he said no. At that point I immediately switched from MS CS into MS Finance and MBA and my life has improved (while still being technically challenging and academic.)
So technically my disclosure policy is IJDGAF with two extra weeks as a gentleman's favor. Maybe I'm the bad guy, but that's why I'm here for the lovely discussion on YC. Thanks for sharing.
You have never heard me say IDGAF is an unethical policy. If you've paid attention to me here (I don't know why you would), all you've seen me do is point out how Orwellian and coercive the term "responsible disclosure" is.
For a CSRF that you didn't use someone else's account to exploit and that you've told nobody about, and assuming you have no acquaintances who might screw you over by abusing the bug, 30 days and then Pastebin seems like a decent answer.
If any of your friends are shady, just forget about the bug.
The more unpatched vulnerabilities there are in existence, the more lucrative it is to be involved in any part of the computing crimes community.
It's like reglazing a broken window in your neighbor's garage at your own expense, because you don't want burglars to see it and start casing other properties in the same neighborhood based on the conditional probability that a visible broken window indicates a higher incidence of other exploitable vulnerabilities.
It's also important to pursue the very easily exploited vulnerabilities, because when you get rid of all the low-hanging fruit, the people who can't already climb the tree won't survive long enough to learn how. You're cutting a lot of bootstraps so that immature criminals can't pull themselves up by them.
This is correct, and the morally sound right thing to do if you're interested in cutting down on cyber-crime, but it unfortunately falls under the incorporeal "good-boy points."
Perhaps there's a breakdown of definitions here. I've lumped bug-bounty hunters and grey hat hackers, along with actual researchers, under "researchers." Stop me now if this isn't who you're referring to.
Now if it is, this route of action goes against the reseachers' monetary incentives. It is in their wallets' interests to have criminals validating the existence of their work. As well as selling the direct findings of one's research, including even minor exploitabilities, which is a given.
If researchers were to constantly give away their work (on even little issues) it would directly lower the cumulative value of cuber-security research, i.e their more expensive projects now sell for less.
The FBI / NCFTA invited me to speak about this vuln because it may have affected many banks at the time. (Please stop laughing.)
They called me to cancel. "Now we're all focused on this big DOS. Do you know anything about DOS that's happening today you can help us with?" I asked if the DOS is affecting the stability of the system or actually breaking anything. And they said yes it is bringing the banks down and affecting revenue.
New York City based their increased focus on petty crimes on it. I don't think it is useful as the basis for a model of policing, though.
In some ways, it is an embodiment of the slippery slope fallacy, where if security is not perfect, it's worthless, in the same sense that a roof with one leak in it is worthless, because that one leak becomes the beachhead for further damage to the roof.
Ahh! I just realized, I read about the New York broken windows situation in Malcolm Gladwell's excellent book (in my layman opinion) The Tipping Point.
From the original article in 1982:
Consider a building with a few broken windows. If the windows are not repaired, the tendency is for vandals to break a few more windows. Eventually, they may even break into the building, and if it's unoccupied, perhaps become squatters or light fires inside.
Or consider a pavement. Some litter accumulates. Soon, more litter accumulates. Eventually, people even start leaving bags of refuse from take-out restaurants there or even break into cars.
Broken Windows, The Atlantic Monthly, March 1982
--
The way I would put it, based on my visits to my home town of Zagreb, Croatia:
