Test post for wall-o-text:
Bug Bounties and Companies
A company publishes a piece of software. As software does, it has a bug. This bug comes to the attention of a security researcher. At this point, there's a set of choices that the researcher has:
First, they can attempt to contact the company to have it remedied. This is the approach considered to be the most ethical by many commentators, regardless of whether the company offers what is known as a 'bug bounty'--that is, a payment for those persons who report bugs that could result in problems with their code.
If the company does offer a bug bounty and if they decide that the bug that is reported is worth fixing and if they decide that the researcher submitted it properly, then they may pay the researcher some amount of money that is generally far lower than what the researcher would have earned if they'd spent their time working the checkstand at the local supermarket.
If the company does not offer a bug bounty, then the researcher has given up their valuable time to fix the company's product gratis--and if they should request that they be recompensed for their efforts, they will be labelled as an extortionist. In some cases, the company or organization will go so far as to call the police and accuse the researcher of maliciously cracking their systems; there are many examples of this.
Alternatively, the researcher can approach the black market and sell the bug to someone who wants to use it for (presumably) nefarious purposes. This is generally considered the province of criminals and other shady types, and most "upstanding" folk would consider it to be unethical.
If the choice is between being called an extortionist and having the police called on you for trying to make a living or selling on the black market, a rational person would probably choose the black market.
Let's look closer at the situation here, though, for companies that don't offer bug bounties and the researchers who want to be paid for their work.
First, the perspective of the company is fairly obvious: why should they pay for unsolicited effort? After all, they didn't ask for the researcher to go poking his nose where it doesn't belong; they shouldn't be held to account for someone else's efforts that were neither requested nor wanted.
The perspective of the researcher is just as obvious: they've put in time and effort and applied their specific expertise to finding something that has value, so they wish to be recompensed for their efforts. People have to make a living, don't they?
The disconnect is in the assumed motivations on either party's part. The company assumes that anyone looking for vulnerabilities in their products or services is necessarily a criminal; legitimate users have no business looking 'under the hood' to try to bypass the proper and desired operation of the product or service. The researcher assumes that the company is interested in making the most secure product or service possible in the name of protecting their users.
The third story is, of course, those researchers who are hired specifically to find vulnerabilities for criminals so that the criminals can spread spam or any of the other various nefarious activities.
These disconnects arise from a common source, and one which can be explained with security guards.
For physical security, most companies of any significant size will have a private security firm contracted to handle their security. These companies monitor the physical premises, check for intrusions, and either respond directly to alarms or dispatch police forces to handle incidents.
The exact same requirements exist on the information security side--"cybersecurity" to use the buzzword--but the capability for response is vastly different: there generally is no easily traceable attacker, and there are no police to respond to most intrusions.
The lack of capability for meaningful law enforcement response, and the lack of capability to identify most attackers, changes the threat landscape for the company--but the company will still think in terms of the physical security that they're used to.
Further, this means that, absent a purposefully-hired security service, there are no guards for a company's network; anyone volunteering inherently looks like a mafioso, demanding protection money.
This is complicated by the existence of actual mafiosos demanding protection money on the internet: extortion scams usually center around threats of DoS attacks, but there's no reason why they couldn't branch out.
Add this together--the lack of capable law enforcement response to information security breaches, the presence and activity of organized crime on the internet, the misconceptions that non-technical persons have regarding the differences between physical and information security, and the difference in value ascribed by each party to their and the other party's time and resources--and you can see why the disconnect exists.