I guess pip wouldn’t pay the researcher cash, so they’re not interested in that. This blog seems like a pretty desperate attempt to get google to pay them.
I think my response would be two words and the second one would be off.
> This blog seems like a pretty desperate attempt to get google to pay them.
It's actually deliberately criminal as I read it. "Hey, I trojaned some code and got it downloaded onto your company's systems! Please pay me a bug bounty!" is 100% isomorphic to extortion.
It is not extortion unless a threat is being made, and you cannot manufacture a threat against yourself by claiming that the author might conceivably make a threat on the basis of these facts, particularly when you have also said that these facts raise no concerns.
There is no credible threat here. In addition to the above points, if attacks were made by exploiting these facts, the author, having raised the issue in the first place, would become a person of interest in any investigation.
“Ladies and gentlemen of the jury, my client did not threaten anyone! His accusers are on record as saying he merely told them that they had a, quote, ‘nice little restaurant’, and that it would be a ‘shame if it caught fire’. These are not threats, but simply facts.”
He literally compromised live systems. You're using "credible" in the sense that you take him at his word that he won't do anything bad. That's exactly the wrong party to be playing trust in!
Your response here has failed to address any of the points I made in my original reply. You have not identified any threat being made, without which there is no extortion - and as Google does not regard this situation as being a vulnerability, it is going to be difficult for you to identify a credible threat that could be used to extort something from them.
Notice that you are also taking the author at his word when you say he literally compromised live systems. To turn this into a case of extortion, you would have to go beyond that and invent a number of things that have not been said - and some highly implausible things at that, given the very public way in which this supposed extortion is being conducted.
This is just more non-sequiturs, with which you attempt to distract from the gaping hole in your position. You have still not shown any hint of any plausible threat, without which, it is not even close to, as you put it, "100% isomorphic to extortion" - in fact, you have not presented one iota of evidence of extortion, and evidence is a requirement for for prosecuting extortion crimes.
And for your information, 'explicit' is not a synonym of 'credible'.
Any submission without an exploit? It's routine to find crash bugs or potentially XSS data or injection opportunities without going all the way to a compromised system.
The issue here is that the submit actually attacked live systems, instead of just reporting on the possibility of malicious library code.
...which is something everyone already knows about, and thus why he couldn't get paid. You don't get paid for actually hacking systems either!
I think my response would be two words and the second one would be off.