This isn't to say you should maintain your belief that researcher is acting in good faith when presented with evidence to the contrary. Rather, one should keep in mind that participants are working toward a common goal: reducing the harm caused by deployed insecure systems. I Am the Cavalry describes Finder/Reporter motivations thus ([1)]:
Table 1: I Am the Cavalry's Finder / Reporter Motivations
The Awareness and Adoption Group within the NTIA Multistakeholder Process for Cybersecurity Vulnerabilities ([2) ] surveyed security researchers and vendors, finding that ([3)]
- 92% of researchers participate in some form of CVD.
- 70% of researchers expected regular communication from the vendor about their report. Frustrated expectations were often cited as the reason for abandoning the CVD process
- 60% of researchers cited threat of legal action as a reason they might not work with a vendor to disclose
- 15% of researchers expected a bounty in return for their disclosure