Since this list has bred a lot of security consultants, I'll comment on the business practices here. Sending a company a bill for doing work they didn't agree to in advance is wrong. I've spent substantial amounts of time finding and documenting bugs in various products. Some of its public, a lot is not. In most every event, the handshake and thank you has led to consulting work for the company. If I show up with a bill in hand, thats not the right way to start a business relationship. So, questions of blackmail aside, its plain bad practice. I'll note that the company in Denmark is not a well known one, nor is the name one that I've seen, so there are questions of if the individual is using their true name or not while chasing the money. If they are not, it may be because they feel that this sort of business practice is one they'd like to disassociate themselves from. Adam Tom Weinstein wrote: | > One can imagine people approaching a company with reports of a bug--as | > a certain math professor approached a certain chip company with | > reports of a strange FDIV problem--and being given the polite | > runaround. "Thank you for sharing. We'll have one of our QA engineers | > look into your report and maybe he'll get back to you." | > | > (I have no idea if Netscape reacted in this way, but I can imagine | > that the flow of bug reports may cause many to linger in the "In" | > baskets without action.) | | As a matter of fact, we responded to him very quickly. The day after | we heard from him we had a phone call where Jeff Weinstein, Jim Roskind | (Java security), and I were present. We gave it serious attention as | we do with all security holes. -- "It is seldom that liberty of any kind is lost all at once." -Hume