Well, mostly because if it was good enough, it would be the first thing out of the mouth of every blackhat that was caught...
Or to put it in a slightly more nuanced fashion, as a blackhat I could compromise your system, and then turn around and inform you that your system was being compromised whilst at the same time profiting from any data I had already stolen. If the company being contacted does not personally know the person contacting them, it is not altogether unreasonable to treat the person with great suspicion.
That said, people that do have a public reputation for white-hat work probably deserve to get a pass. This of course raises the question of how you go about getting a whitehat reputation, because most whitehats get their rep by doing the same things the blackhats do, without the profit motive.
Well, every time I've gone vigilante, I've logged the ever lovin' shit out of myself, just in case. Nothing interesting ever happened, though.
There was one time when I used a CnC channel to issue uninstall commands against a couple hundred bots. That was only after trying to contact a user or two to suggest that they uninstall the malware themselves... Those conversations went SO poorly! :)
Anyway, the only way to find a user's contact information via a piece of malware like that is arguably an invasion of privacy... Which brings us full circle.
Could we establish a metric for Good Samaritanism? Could we design a metric that is restrictive enough to prevent misuse but inclusive enough to allow unrequested, benevolent cleaning and patching?
> Or to put it in a slightly more nuanced fashion, as a blackhat I could compromise your system, and then turn around and inform you that your system was being compromised whilst at the same time profiting from any data I had already stolen.
Which provides a perfectly reasonable way to distinguish the white hat from the black hat. The black hat is the one making fraudulent charges to stolen credit cards, or selling social security numbers, etc.
Well no, not really. After all, the blackhat isn't telling you that they're also busy selling your data to someone. And even if you are aware that the data is being sold, the blackhat can claim that it must be another intruder using the same flaw, and geez, you really should fix that!
If the data "is being sold" then go arrest whoever is selling it. This is basic police work. Someone is making fraudulent credit card charges? Go nab the guy when he goes to pick up the merchandize, then turn him against whoever provided the credit card numbers (if it wasn't the same person).
Doesn't that make a lot more sense than charging anyone who cuts across your lawn with grand theft just because someone engaged in grand theft might cut across your lawn?
Or to put it in a slightly more nuanced fashion, as a blackhat I could compromise your system, and then turn around and inform you that your system was being compromised whilst at the same time profiting from any data I had already stolen. If the company being contacted does not personally know the person contacting them, it is not altogether unreasonable to treat the person with great suspicion.
That said, people that do have a public reputation for white-hat work probably deserve to get a pass. This of course raises the question of how you go about getting a whitehat reputation, because most whitehats get their rep by doing the same things the blackhats do, without the profit motive.