[Owasp-rochester-announce] Question: Is this extortion or security consulting?

Andrea Cogliati andrea.cogliati at owasp.org
Sun Oct 4 20:40:52 EDT 2009

It's definitely blackmailing. Like it or not, the only "currency"  
received by security researchers for discovering vulnerabilities is  
credit. I don't entirely agree with this practice, but this is how the  
industry has been working for almost 10 years.


On Oct 4, 2009, at 2:29 PM, David Stevenson wrote:

> I saw this in LinkedIn in the Question and Answer section. People  
> are calling this payment extortion. Is that a correct view, or is  
> the hacker protecting consumers from poor security provided by  
> corporations? Unstated in this description is whether consumer  
> identity information, such as credit card numbers and/or social  
> security numbers, were at risk of disclosure. Also unstated is  
> whether company assets, or revenue, were at risk due to the security  
> flaw. Were the security risks easily preventable, such as security  
> risks caused by SQL Injection attacks?
> How to recognize on the financial statements a payment to a hacker,  
> that stops him from posting a security flaw on the internet?
> A payment of 100,000 was made to keep the flaw of the program from  
> being public, how would this payment be recognized on the financial  
> statements?
> David Stevenson
> _______________________________________________
> Owasp-rochester-announce mailing list
> Owasp-rochester-announce at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-rochester-announce

More information about the Owasp-rochester-announce mailing list