> Finding security holes in commercial systems and discreetly notifying the owners of the problem is one thing

Last time this happened to me, I gave 6 months free on a dedicated server which was announced in an e-mail that went out to around a thousand users (the focus was explaining why feature x was disabled for the past few days).

It was brought up in discussion that it was probably too much, but the alternative to me was terrifying considering the amount of tickets opened because of the preventative measures.

Yeah, in my experience, the best way to handle these things and keep goodwill is to own up to them and take responsibility for what happened; and explain to your customers what happened, what went wrong, how you fixed the problem and (hopefully) the entire class of problem, and what you've done to prevent the issue in the feature. A mature and honest response goes a long way.

> broadcasting knowledge of the holes to the world without a reasonable wait is akin to criminal

I wouldn't go as far as that. It's sure bad form, but disclosing a fact (maybe with the exception of immediate national security concerns) can't be considered a crime.

This will cost the PHPfog folks some and they can - and should - pursue civil action against whoever causes damage to them.

Disclosing a fact? No, that's not necessarily criminal.

Publicly admitting to having committed a "computer crime"? That's a different story.

I think the point _phred was trying to make is that publicly disclosing the issue like this puts all of the sites on PHPFog at risk.

Exactly; as I said, "disclosing a fact without a reasonable wait" which is fair and ethical in the security world. I'm all for full disclosure, but give the affected parties time to clean up the mess and get PR ready.

After berating one of the "d00ds" involved on Twitter, it looks to me like he told his friend how to exploit the problem, and his friend (or his friend's friend) made the site and exploited the hole.

If I show someone how to break into your house, and that person tells someone else "hey, nbpoole's house is open, let me show you," and your house gets broken into am I completely innocent of the crime? Security knowledge is the kind of knowledge that gets things broken into, so security people need necessarily be cautious with who they tell about security problems.

FYI, when I found about an open ASP.NET padding oracle at Subway.com, all I did was to run PadBuster to exploit it without damaging the servers in any other way. Eventually I reported it to feedback@subway.com, and only after a week of no response only then I finally posted it to reddit: http://www.reddit.com/r/netsec/comments/g9crj/open_aspnet_pa...

There are numerous facts which disclosing would be considered a crime. For one thing, copyright infringement is a crime; all that is, in essence, is disclosing a fact. Disclosing trade secrets may be a crime. Disclosing personal health records can be a crime. Disclosing insider information to a third party can be a crime. There are plenty of facts which can be criminal to disclose.

Now, this particular case may or may not be criminal, but it is at least incredibly irresponsible.

I think this is a Federal Crime in the US. If he was an idiot and actually disclosed his details, they can find him and actually extradite him from Australia for this.... not a lawyer but wow, but he did not think this one through