Just wanted to thank you and the other guy for the interesting and entertaining argument posts you had, it helped amuse me while being bored on my break.
I had to side with
@TheCyberQuake though, regardless of who made more sense, because your attitude this whole time left a sour taste in my mouth and my mind. Sorry, man.
Props to
@TotalInsanity4 for the thumbs up fun.
Well, I am sorry that I left the sour taste in your mouth, that was not my intent. I did get carried away on some rants and admit that, for that I do apologize.
My simple point was that I agree with most people. Someone works hard on finding exploits and wants to make some cash for that work, they are more than within their rights to do so. They don't owe the underground hacking community anything. They are true professional Security Consultants. Either on contract, independent (ie with programs like hackerone or through other connections) or work directly for these corporations. You will never, ever hear from these people other than maybe when they retire and they write very interesting stories on their lives/careers and the major flaws they found and catastrophies they helped companies avoid.
What my beef is and was is with the other group that come on forums like these and announce there so called findings in search of hype, epeen, webcred, etc, without any intention whatsoever of releasing the exploit they found. There really are only 3 types of people that do this. One is the type that tried to go the professional route and for whatever reason got rejected by the corporation and are butthurt (either the price they were asking was too high, the exploit was already known but not publicly released, it really wasn't as major as they made it out to be, simply has a "less than desirable reputation," etc, etc). The second is one that is trying to generate enough public hype so that they can hold for ransom the knowledge they possess and use the hype and publicity to extort corporations for much more money (or even get a payday without showing proof of their exploit) than what they truly deserve (ie what is known as corporate terrorism) or publicly shopping their findings to the underground hardware scene to develop hardware to use their exploits. Lastly you have the third who just is looking to create a rucus. This really comes in 2 forms. The first is the one that simply wants everyone to bow down before them and say "na na na na na" and the second is just a complete fake who really has nothing at all and is just looking for 15 minutes of fame so they can later turn around and tell everyone what suckers they are (or even worse, extract donations, both monetary and physical hardware). We have seen our fair share of all of these. That is why there is such a backlash about it.
A true professional would never announce publicly that they have an exploit on anything. Anyone else deserves the backlash they get. While it may be slightly veering off-topic, it's still relevant as I was responding to the community's attitude with developers that work at finding security flaws and I was attempting to explain the differences and why some are hated and receive public lambastings and why some are accepted and respected. Blindly defending a security expert without understanding the differences is very naiive and making blanket statements like "they did the work, they can do whatever they want" isn't necessarily true. If someone chooses to go public with something, then their motives need to be examined and they deserve the public scrutiny and should not only expect it but should be prepared for it and not throw a tantrum when faced with it.
Sorry for the essay but hopefully that is a more unemotional and logical response. Please forgive me. I have been around for a couple of decades now. We went from a community of superiority (both in the normal IT world and the underground hacking world) where you would get ridiculed for asking questions to the generation where everyone finally pulled together and was actually working with one another to a generation of secrecy, manipulation and downright hatred and character assassination (to the point of people actually sending people to jail, court, swat raids) to this new generation where you get tonnes of announcements of the "next big hack" but they would rather take the stage at defcon or show up on every board talking about it and rubbing everyone's face in it.
It's very disheartening and sad to see how the underground hacking community has evolved and, in my point of view, is dying. Sometimes I get a little too passionate about that.
True, professional Security Experts/Consultants/Analysts will absolutely never get a disparaging remark from me and have my utmost respect for what they do. It's the others that I detailed above that destroy their reputation and integrity with their unsavory behavior that deserve our wrath.