> No one is doing 16 step exploits unless you're a huge target in some way. 0.0000001% of companies fit that bill. And even then, ok, what did they get? An account login? What are they doing to do? Read email?

Account take over of a user account. I'm pretty sure I could sell access to the DMs of a few popular people for 100x what we paid out for that report.

But also, I'm pretty confident that this researcher delivered this exploit because I'd said that there was no way he could use it maliciously, not because he wanted to be paid. Then, once I made that critical error in judgement by questioning (rejecting) his assertion in his report. He, like most hackers, being insulted by the idea, was then required to restore his name and reputation. There are the people who only go after targets that they can confidently make money off targeting... some of us care more about reputation than money, and will die on any hill when our reputation/work is questioned/doubted.

> Security "teams" are a bunch of fucking busybodies with nothing to do. Pay for a competent admin team and the security dept is completely redundant and useless.

Lmao, tell me you don't really understand what goes into getting functional systems/corp security without telling me. I don't even disagree with the point you were trying to make. You're absolutely correct! If you have a competent admin team, you don't need a dedicated security team. Unfortunately, as I live in the real world, where most people are incompetent, it does help to have a dedicated security team. Especially considering if you were an admin who is competent, you could make 2x as a security engineer, which normally keeps all the competent people out of admin, and thus requiring a dedicated security team.

I don't know why you're mad, or why you're arguing it at me. I'm pretty sure I already agree with most of your points... the only one I might disagree with, and only then because you're arguing at me for some reason, and that makes me think you probably disagree, with the important point which is, we're all on the planet together, you're not required to help me do my day job, but as an industry, both security engineers and security researchers, we need to remember that we're actually on the same side, and we need to aggressively resist returning to the us vs them mentality that we're just barely starting to escape from. Case in point, it appears to me that you think complaining about how security people are useless and CVEs don't matter, as a much more important point, than complaining about obviously irresponsible disclosure.