What's The Line Between Good Samaritan Hacking... And Extortion?

We've had plenty of stories in the past about security researchers who have faced legal problems after exposing security vulnerabilities in various products or websites, leading to long debates about the border between breaking the law and trying to help protect against vulnerabilities. Plenty of security researchers are now worried to even report some vulnerabilities, for fear of having the messenger blamed (or, worse, arrested). However, there probably is a line to be drawn somewhere -- and calling up a bank who had a flaw in their website, telling them how to fix it, and then demanding payment for letting them know about it, probably crosses that line. It's one thing to have the company ask you to help them fix a hole you discovered. It's quite another to demand payment. In this case, though, even though the hacker pleaded guilty, the judge let him off, noting that it seemed more a mistake of being naive than any malicious intent.