Am I reading this right? Are both sides of this story intimating that the security guys found a vulnerability in the site, published it, and then pitched them a consulting gig? Go live with something or not, pitch a gig or not, but I'm not sure you can have it both ways without looking skeezy.
