Once companies started suing people trying to practice “responsible disclosure”, I stopped attacking people that choose maximum disclosure.
Responsible disclosure has always been a bit of a hedge. It’s rare to be able to show you are actually the first person/organization to discover a vulnerability.
Against best practice of informing the company first to remediate. Now it’s a security nightmare for anyone running it locally
Once companies started suing people trying to practice “responsible disclosure”, I stopped attacking people that choose maximum disclosure.
Responsible disclosure has always been a bit of a hedge. It’s rare to be able to show you are actually the first person/organization to discover a vulnerability.
We don’t really know if he contacted them before, do we?