I'm curious if the best monetary approach for a white hat hacker would be to show them the problem, give them time to fix it, and then give them an option to pay a consulting fee for the discovery in exchange for NOT publishing the exploit (after it has been fixed). The idea being the showing what you have found on other sites has marketing value for a white hat hacker, but had the company hired you to discover the flaw, you wouldn't be publishing it.
The best approach is not to do it. Demanding money from someone that didn't hire you is never ethical - just childish. Would you like it if I showed up at your house, mowed your lawn, and then started banging on your door demanding $100 for mowing your lawn?
Also, what marketing value - if you're just pwning random web sites rather than getting hired to test a site's security you aren't in any market.
Most people who are doing this type of things offer consulting services to help make sure your site / app are secure.
> The best approach is not to do it.
Don't do what? Don't tell them there is a security problem?
> Demanding money from someone that didn't hire you is never ethical - just childish.
Lets say my front door is open. Someone takes a picture of it and sends it to me so I can close and lock it. Once it is closed, they explain that they offer a service where they will help homeowners make sure that they keep their doors closed. They plan to use the picture they took to illustrate how they help identify open doors to show why people might want to be their client. However, if I want to pay them for the service the provided, then I get to decide if and how any information about my door being open is used.
The grass in the lawn may not be that dangerous to other people. However, if your house is emitting radiation, and a hero breaks in to clean it up for the sake of other people you service, (because the town does not need to wait for you to hire someone) the hero deserves a reward and the owner of the house deserves punishment.
Unless the "hero" is law enforcement or some other government agent with a warrant, he will likely have broken a bunch of laws by breaking into a person's house uninvited, and not very likely rewarded.
> give them an option to pay a consulting fee for the discovery in exchange for NOT publishing the exploit (after it has been fixed)
I'm not making any moral judgments, but purely from a legal perspective this sounds dangerously like blackmail. If anyone decides to take this path, be sure you understand the risks involved.
