Responsible disclosure to the vendor is one thing.
Taking the fruits of your exploits and publishing it for glory and a "I leaked all that information because you wouldn't fix it" attitude is quite another.
I would hope that if you discovered a vulnerability in one of my web applications you would contact me first and allow it to be resolved. Might even be lucrative for you.
If you used that vulnerability to steal my database and publish it to the public ___domain -- when it has no place in the public ___domain, i would expect the DoJ to hunt you down.
I never said anything about not being friendly.
But if you are playing with peoples identities, their lives, this is not friendly at all.
As we saw from many and many articles, vendor disclosure often ends with threats, intimidation, your business interaction with them being canceled, and forcing you to sign a NDA on hostile terms.
Once you contacted vendor it's not safe to go the pastebin route. So it becomes an unfeasible solution.
On the other hand, try to "hunt down" a pastebin post original author. It would be the last of your worries.
I would hope that if you discovered a vulnerability in one of my web applications you would contact me first and allow it to be resolved. Might even be lucrative for you.
If you used that vulnerability to steal my database and publish it to the public ___domain -- when it has no place in the public ___domain, i would expect the DoJ to hunt you down.
I never said anything about not being friendly. But if you are playing with peoples identities, their lives, this is not friendly at all.