Here is a textbook description of what companies should NOT do when someone privately reports a security vulnerability in their publicly available web site which is chock full of PII…
Security Researcher Threatened with Vulnerability Repair Bill
A couple of observations about the article…
The guy who found and reported the vulnerability was a customer of the firm in question and seems to have done everything in an above board manner.
It sounds like the vulnerability involved changing a single parameter in a URL in order to access another customer’s account. Whoever designed/wrote that application needs some serious re-edumacation at the very least. Maybe these are the folks who should be paying to fix the vulnerability.
I’m not sure why they are demanding the researcher’s computer. The nature of the vulnerability would make it extremely easy to make sure he did not access additional PII by simply reading the web server logs.
I’ll bet that plenty of people at this organization are wishing that this incident never hit the news. Had they simply thanked the researcher and fixed the bug, their customers and business would have been protected and they would not have gotten such a public flogging. If I were a customer of theirs, I’d be wondering about the rest of their information security right about now.
So, to sum things up… WTF!