Very interesting article, and funny in a dark way.
But I can't help but compare these guys to this guy[1] who was on the front page of HN 2 weeks ago. He privately disclosed the vulnerability, then waited 12 days then publicly disclosed it on his blog. And there was widespread outrage and condemnation of him for daring to disclose that quickly, putting users at risk. He was described as "a parasite on society". Well if someone who privately discloses then waits 2 weeks and publicly discloses is a parasite, what is someone who sells exploits to oppressive countries that kill journalists? With that comparison, the discloser seems downright virtuous.
Full disclosure is not what people had an issue with there. The problem is he only waited 12 days, and didn't really try hard enough to confirm someone at McDonalds was aware.
The standard is something like a minimum of 30 days (usually more) upon confirmation receipt. He never saw someone acknowledge the disclosure, so McDonalds' security staff could justifiably say they were not aware and couldn't have done anything.
Responsible full disclosure, like how Google's Project Zero reports bugs, is the best compromise.
He tried contacting them 4 different ways. How many ways is he expected to try? He's not being paid for this, he's doing them a favor. It's not his fault McDonalds doesn't have any method for reporting security vulnerabilities. Is he expected to fly down to their headquarters and talk to them in person? At some point you just have to give up. Admittedly yes, he could have waited longer for a call back in this case.
You can't really compare an individual person with Google. Google employees are being paid to do that, so of course they can spend all day trying to contact companies, it's their job to be professional. And they probably have databases of high level security contacts at most companies. And any company will likely take a contact from Google seriously, but possibly blow off a contact by some random guy.
This same story was told from the perspective of Cristian Provvisionato, the Italian who has been detained in Mauritiana, in Motherboard a few weeks ago:
But I can't help but compare these guys to this guy[1] who was on the front page of HN 2 weeks ago. He privately disclosed the vulnerability, then waited 12 days then publicly disclosed it on his blog. And there was widespread outrage and condemnation of him for daring to disclose that quickly, putting users at risk. He was described as "a parasite on society". Well if someone who privately discloses then waits 2 weeks and publicly discloses is a parasite, what is someone who sells exploits to oppressive countries that kill journalists? With that comparison, the discloser seems downright virtuous.
[1] https://news.ycombinator.com/item?id=13407717