I think they should negotiate a security test beforehand. For their own sake but also to get a buy-in. And if a company categorically refuses, you can then publish that, or share that you worry about a lack of track record in known security audits. That's a professional way to hold them accountable.
Breaking into a system unannounced and then stating "do what I say...OR ELSE", is neither legal nor professional. When you're surprised that this will be perceived as an attack instead of being helpful, I don't know what to say.
> When you're surprised that this will be perceived as an attack instead of being helpful, I don't know what to say.
Correct. This is why I believe they (or at least some of them) weren’t actually surprised lol.
> If you can’t tell from his wisdom, it was not Cooper’s first time dealing with legal threats.
This is a quote from the post. The author acknowledged that his fellow researcher was experienced with interacting with lawyers for exactly this kind of scenario.
I think they should negotiate a security test beforehand. For their own sake but also to get a buy-in. And if a company categorically refuses, you can then publish that, or share that you worry about a lack of track record in known security audits. That's a professional way to hold them accountable.
Breaking into a system unannounced and then stating "do what I say...OR ELSE", is neither legal nor professional. When you're surprised that this will be perceived as an attack instead of being helpful, I don't know what to say.