Who cares about fame?
Bug bounty programs are a poor solution for actual security, and thus end users. They are often used to buy silence, and can make it difficulty to report bugs where you want to retain control of the information and don’t give two hoots about the cash.
This guy let his greed get the better of him. It’s clear that Kaspersky don’t pay for this class of bug. I know of at least two other organisations that do. Not that they’d be reporting it up to Kaspersky...
Lesson for all researchers. Decide what outcome you’re interested in (securing end users, cash, fame) and send your findings to the appropriate party.
Biting the hand that feeds IT
