No. The only way to be a bad guy is to exploit the vulnerability. He didn't do anything wrong, he did something very right that most people couldn't and wouldn't have done, and he was rebuffed for it.
It's not like they're owed this. If not for this good guy wasting his time trying to contact them and publishing this they'd have probably been vulnerable for years.
The person in the thread who made the call could only have done so with the help of the initial disclosure. He couldn't have helped make Amex more secure until the security researcher showed him how.
It's not like they're owed this. If not for this good guy wasting his time trying to contact them and publishing this they'd have probably been vulnerable for years.
The person in the thread who made the call could only have done so with the help of the initial disclosure. He couldn't have helped make Amex more secure until the security researcher showed him how.
Now Amex is more secure than yesterday.