"Having said that, there is an interesting way one could make this work: the pay us or else approach - where the else part may be implied to mean:
* Selling the information to unnamed third parties, to use it as they see fit (with potential consequences to the vendors customers),
* Shaming the vendor in public to suggest negligence (company X obviously values customer safety well below our $10,000 asking price),
* Simply tellling the world without giving the vendor a chance to respond.
"
Speaking as an attorney, "pay us or we might or will do (the above)" could be viewed as extortion--either criminal extortion or at least what civil law calls "duress", which is the non-criminal equivalent (like "conversion" is the non-criminal equivalent of "theft").
Anyone making such threats could expect at least to receive a strongly-worded letter from a lawfirm threatening to press criminal charges or sue. At some point, some of the companies would follow through. Even if the "security researcher" won, he would have to spend tens of thousands of dollars in legal fees. Plus, everyone in IT management would know his name and he could forget getting any kind of work.
Plus, if the person making the threat used either the mails or wire communications (fax, telephone, email, anything involving the Internet) or did anything involving interstate commerce or sending anything across state lines, he could be subject to federal criminal prosecution for mail and/or wire fraud.
Also, if more than one person was involved on the "researcher" end, the group could be subject to prosecution or civil suit for conspiracy.
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
