how is that extortion? Extortion needs a threat for non-compliance. Offering to sell a company information with no consequences for rejection is an invitation to trade.

So they respond by reporting you to the CIA/FBI

They show up and take all your electronics to investigate an extortion claim

How far down the rabbit hole do you want to go? You might win in the end. You might get jail time. You might have a pretty rough 6 months and get nothing.

Being internet tough and going to court tend to be very different things.

If that is what happens, people will start doing it anonymously and asking for Bitcoins.

"objectively not extortion" doesn't matter, and is completely irrelevant to the conversation being had here. The point is that if you tried doing this thing that is or isn't "objectively extortion", you're going to risk dealing with what the comment outlined above, and that is the real penalty for trying something like this.

The larger point, and the nugget you probably should come away with, is that there's a prohibitively high cost for doing what's being discussed. There most definitely is plenty to worry about here.

yeah, obviously you shouldn't try to do what's being discussed. That goes without saying. Did you read the comment I was responding to? I feel like I'm talking to myself here.

It is. There is no legal right for you to 'steal' something.

It does matter how easy you make it, but it is nonetheless illegal.

Because someone kept the door open, doesn't allow you or give you the right to go into it. Never has been never will be.

How is it stealing if it’s publicly hosted on a web server?

By that definition it is not stealing to take something that is unguarded, isn't locked or surrounded by a fence from a neighbors lawn, or a department store.

No, it's not. It's more like if Coca-cola accidentally published their recipe in the newspaper instead of an ad - that's their blunder and not corporate espionage.

No its not.

First of, there is also in legal a huge difference between publishing your secret in an ad and putting some .git folder in /.

Second it would probably still be illegal to reproduce coca-cola original receipe. There is probably some (c) or similiar thing protecting it.

That's one of the best analogies I've heard. Thanks for that.

Sure, if they took away the source code. But they only looked at the source code. It's not illegal to look at something in a department store.

I didn't claim that taking the source code isn't stealing.

Tell you what, call up a local law enforcement officer and ask for $10,000. When they say no, tell them you know where they live. See if that is considered a threat by the courts.

Well yeah obviously that's going to be considered a threat. But is that what we're talking about here? No. That would be the equivalent of contacting eBay and asking for money, then implying you "wouldn't want the source to fall into the wrong hands".

It’s really funny you guys have to ask this question.

If I steal a companies IP and then try to basically sell it back to them is it a crime? Of course it is in most sane countries.

the theft itself is obviously a crime. But that wasn't the question. The question was: "is selling the source back to the company extortion?"

The answer is no.

I didn't think we were contemplating selling the source back, rather selling details of how a malicious person could easily acquire the source - as one may have done as a slightly-off-white hat hacker.

It's not theft either; and we could have immediately destroyed all our data except some excerpt as proof the hack is available so we would not be handling any infringing data (despite the initial act potentially being infringing, depending on jurisdiction).

This is akin to "I went past your property and saw the door open, stepped inside and took a picture as proof; do you want to see the picture?".

Yes you're right, my description of the scenario wasn't quite accurate. Personally I don't think this scenario is unethical (beyond your responsibility to disclose potentially being to the company's users, not the company itself, meaning withholding the vulnerability might be ethically dubious) but as I understand (IANAL) it is illegal. But the law doesn't always map well onto ethics.

Rarely, the more you study implementation and edge cases.

What if you work at a cyber security company could you not send an email saying you found a couple of security issues on their site and offer your services? Where is the line here?

If I find a security issue with someones site why do I have any obligation to tell them?

I think that sadly, legally, you already broke the law doing something outside "intended use" (or whatever it's called) when you found the security issue. Unless they paid you to do the research.

This is something I don't understand. How can it be illegal to expose vulnerability without telling someone the real issue in the digital world, while having no responsibility if let's say you call a shop owner's attention that the patio's parasol might be causing injury in the physical world?

It's more like telling a shop owner that you were able to open their doors when the shop was closed by simply getting the key from under the doormat. It actually seems tricky to design law sensibly around cases like those.

These analogies never work (and I just used one elsewhere on this story too) - one could equally equate it to arriving at a business, opening the door without seeing the "closed" sign, going in and taking a photo, realising no-one is there, and leaving. Then you call the owner and say "I noticed you have a security problem". The problem is their employee forgot to lock the door, they'd indicated you shouldn't go in (posted the closed sign) and so strictly speaking you were trespassing [unlawfully entering, whatever].

Punishing the person for telling you you have a problem seems a bit silly, even if the photo they took included copyrighted material (maybe an architecture model on the counter).