I feel it's problematic that whenever someone writes about an ethically tricky security vulnerability disclosure someone will come up with some variant of "but doing it a bit differently would've been more ethical".

The reason I think this is problematic is that there are already more than enough people in the security community who will either say "fuck it, I'm not gonna bother with that" or "let's sell it to the highest bidder".

We should appreciate more when people are trying to do the right thing and worry more about the people doing clearly the wrong thing and less about whether the people doing overall the right thing did it perfectly.

I think this situation is like knowing a car crash is about to happen and then still waiting for it to happen though. Why not email someone to pay their bill?

It's worse than that. It's knowing a car crash will happen, wait until it does, and then writing a self promotional article about how awesome you are at predicting car crashes in an attempt to sell your car crash prediction services.

I assume you mean that he should have done that when he noticed the domain was pending renewal? (edited to "renewal", not deletion)

He definitely acted decently overall (and did reach out to the people you mention afterwards). But I can empathize with the author for simply thinking "pending renewal? alright whatever" and later on "pending DELETE? shit I should make sure they're OK!".

I guess there's always what's best in hindsight and what's actually done.

Quoting the article:

>On January 7th, I reached out to the Administrative and Technical contacts listed for .cd on [https://www.iana.org/domains/root/db/cd.html].

A week after he registered the domain name. That's not the same thing as "before," which I believe the top comment in this thread was implying about what he should have done instead of what he did do.

Yes I spotted that “week” too.

Seems odd to wait a week to make contact if this was purely a white-hat exercise.

And if he wasn't going to contact anyone, watching for the domain name to drop, and manually registering it at that point, is a recipe for disaster. It may not have been feasible for him to set up an automatic registration script (although I see he was using Route 53, so maybe it would have been?), but being first in line to drop-catch a domain name is the exact purpose of services such as SnapNames. Took a terrible and unnecessary risk on top of not doing the "most ethical" thing.

That would be the most ethical, sure. But this was a faster and safer course of action. And it wasn’t unethical.