Agent_047
Author needs to know, this is almost the dumbest way to handle a Vulnerability Disclosure. Lawyers aren't shields against stupidity.The kind of org that would pay for security assessment, do it themselves because there's a lot of charlatans. They test and approve the work. It's often called a Bounty Board. Orgs big enough to have a Bounty program, but don't, are usually going to sue for damages instead.Very Very few White Hat "corporate" hackers make enough money with 0Day or vulnerability assessment, typically because it's a war between groups that often hide the vulnerability or sell tools to others, including government funded hacking and Intel groups. A lot of these groups are semi-fraud, Ex Government employees, or both. And if the vulns don't go public, they don't 'exist' because they have to be tested.They won't buy, they won't subscribe and they definitely won't buy the software they didn't write.hacker... it's Facebook. They know more about global identity and networks, schools, business employees, shopping, etc. than they admit, more than most intelligence agencies or police services. They could likely find his identity in hours, and legally confirm it in a week, preparing a counter-suit for damages.Disclosures go wrong all the time if the company does not have a Disclosure policy. If they don't have a Disclosure policy, they only want to hide the information, not fix it.Because these orgs are Publicly Traded, Bad News is very, very costly and becomes a reason to sue for damages, especially if FB decides to not pay, leaks the vulnerability to others, gets hacked, the damages would be MC's or tied to the bad actor, whose identity would be unknown, unprovable. And, even if you could catch them, you would also need to prove the conspiracy, legally. He won't get paid, he will be sued. Bringing a Lawyer won't help defend against a preemptive claim for damages.