What kind of IT Policy was applied? Was this automatic, did they detect the event before he alerted them, or did they do this after he had disclosed the vulnerability?
The first application of the IT Policy is the interesting one here, as it lays the foundation for - or undermines Hamed's case as a white hat.
The first application of the IT Policy is the interesting one here, as it lays the foundation for - or undermines Hamed's case as a white hat.