"...this kind of "pro bono" work isn't telling us anything we don't know..."
That's scary right there. If you're deploying something you know has vulnerabilities you have bigger problems than losing sleep at 3am. Same for operating something you know is vulnerable. You (collective, not you, personally) totally deserve to get up at 3am. It's grossly irresponsible, because what you probably don't already know is how that harmless XSS vuln you know about is really a leaf in a 7-level deep threat tree that results in information disclosure. I can just imagine that such a cavalier attitude is how the Sony PSN network got owned.
My point stands. Attack from Iran or probe from a researcher (your points in your following paragraph noted and notwithstanding)?
"...If you don't own a system and don't have permission for it then don't attack it."
Lots of things are vulnerable to DoS attacks in a multitude of ways. Depending on the business, it's not uncommon to just say "we'll deal with it when it happens."
But, someone asks, what if the business is really really important? Then that's all the more reason to not mess with it.
What's scary is how self-centered you are. How do you know that the vulnerabilities haven't already been found by an internal security audit, and that they're in the process of being patched, but by your disclosure to the media you are petulantly demanding that the company patch your vulnerability right this instant so you can get the fame and ego gratification from it?
All large companies have vulnerabilites, there's always work that needs to get done, that always get triaged according to impact and then people who ideally should have 40-hour work weeks have to start patching code, then it needs to get Q/A tested to prove that rolling it out won't break everything else, and all that takes time.
And I have worked for companies that took security seriously and worked for companies that had laughable security practices. In either situation, having 'help' from external 'security researchers' was not useful. In the case where companies were run competently it just means that you cause people to scramble and push solutions before they're ready. In the case where companies were not run competently it just causes people to scramble and does nothing to affect the underlying shittiness of the company. You are not going to be able to fix shitty companies. Its not your job to stop future Sony PSN networks from getting hacked, you can't do that, and you should stop thinking you can, and stop using that as justification for your own actions.
That's scary right there. If you're deploying something you know has vulnerabilities you have bigger problems than losing sleep at 3am. Same for operating something you know is vulnerable. You (collective, not you, personally) totally deserve to get up at 3am. It's grossly irresponsible, because what you probably don't already know is how that harmless XSS vuln you know about is really a leaf in a 7-level deep threat tree that results in information disclosure. I can just imagine that such a cavalier attitude is how the Sony PSN network got owned.
My point stands. Attack from Iran or probe from a researcher (your points in your following paragraph noted and notwithstanding)?
"...If you don't own a system and don't have permission for it then don't attack it."
That's loud and clear, for sure.