When a company or individual purchases a piece of software, they tend to think that the company that they bought it from will always keep it secured.
The ideal is that they believe that the company will be the first one to notify them if anything is wrong.
In most situations, this is the furthest thing from the truth.
Software companies are loath to report that there is any vulnerabilities in their programs.
Most want the customer to believe that the software has no problems at all.
They will only fix and report the problem once it is discovered by a third party.
The White Hat Hacker
Hopefully, the third party is a white hacker that enjoys finding faults and vulnerabilities in software.
If it is a black hat hacker then the company will find out about it too late.
When a white hacker finds a problem in the software, they usually have two options that they can go with.
The first option is to report the problem to the vendor and give them time to clean up their mess.
The second option is to disclose the vulnerability publicly and force the vendor to fix the problem.
Both ways have their pros and cons.
It is up to the hacker themselves to decide which one is the right course of action.
If you decide to tell the company before you make the exploit public, they can either have a good reaction or a bad reaction.
If the company is smart, they will work with the hacker in coming up with a solution to the problem.
They owe this to the customer.
This is the only way that they can be sure, that the software they sell to people is secured.
If they do not work in tangent with the hacker to solve the problem then the software may never get fixed.
There have been cases when companies have had a negative reaction to hackers coming forward and telling them that there is a problem with their software.
Some companies have threatened legal action and told the hacker to shut their mouths.
It is not illegal to discuss a problem with a product but the companies tried to legally scare the hackers anyway.
If a hacker decides to publicly expose the problem before they tell the company, then there can be a backlash to that as well.
If they leak the problem before they give the company a chance to fix it, then that could leave thousands of customers vulnerable to an attack until a patch is released.
The one good thing about this method, is that the company is guaranteed to release a fix for the problem.
If they do not, then there could be legal ramifications brought to them by the customers.
You must be careful if you decide to release the exploit first.
They may try to go after you legally as well.
Even the consumers that you tried to help.
There are good sides of the argument for both why a vulnerability should be disclosed to the public first or to tell the company first and try a wait and see approach.
As long as you know the consequences for both actions, then you can prepare yourself properly.
Just know that you are doing the right thing by letting people know about a problem.