I was more naive, but it worked out. Reported a vulnerability and how to fix it to a regional bank when applying for a student loan. They asked me to come in person to explain it and dropped a point off my interest rate.
In hindsight it was a huge risk and I was dangerously trusting.
If you are nice and don't threaten to publish, at least without giving them any time to fix it - which for a large back is a couple of months - then I don't think it's a risk at all.
What they don't like is the publicity.
Edit: but maybe not in Hungary. It's the bad child in EU.
In Poland there was a case few years back of a company (I have no idea if that means a one person company or a bigger one) owner finding out by putting a name of his client into google that it indexed documents containing private information of over a 1000 of companies that are clients of PKO BP and reported it to the bank.
At first the bank security department said no one will find it so it's safe and later when he pressed the issue as a dangerous leak they reported him to the police for "hacking and extortion". All the computers from his company got confiscated for investigation so he had to buy new computers and software to continue running his company. In the end he was found not guilty by the police investigation of his computers so the prosecution dropped the case (it didn't even go to court) and all his stuff returned after 6 months.
Bank spokesperson later explained that the files were "deeply hidden" ("głębokie ukrycie", he said it's an IT term, it's not) and only one person found them in 4 years of their existence there so it's not a big deal.
And in general misusing, testing, etc. a website is illegal without owners permission, there is now a small exception for acting in good faith but it's narrow, a bit strangely worded and it doesn't prevent stuff like above.
Ah, yes. Actually Poland is the other bad child in EU...
The European commission is currently threatening to remove Poland's voting rights due to the changes to the juridical system, but it will not happen as Hungary will veto.
I think they are on their own cultural axis somehow.
> Poland is very much its own cultural axis since last election
Election results are largely a reaction to existing "cultural" state. I don't think it's accurate to consider them to be changing it (think "effect does not imply cause").
> The thing is that PiS, Kukiz and TVP have normalized and brought into daily life in Poland extremely aggressive language and rhetoric.
Same thing as with Trump. It's because literally nothing else works today against self-righteous leftists.
You said in another comment that majority of Poles would rather leave EU than deal with the Islamic mess. AFAIK the most credible opposition to the current government is still PO, who were the ruling party before and literally in the last days of their term they signed an extremely unpopular obligation to accept forced resettlement of German Muslims, which the current government had to backpedal from, damaging the country's international credibility.
The Polish government doesn't really have to do anything to stay in power indefinitely now. Until something changes on the political scene and a credible opposition arrives which isn't a puppet of Brussels, it's enough that they shake their fist at Merkel's social policies every now and then and they are literally guaranteed to win every election forever.
To clarify: they're drifting towards a political system reminiscent of Russia today, but they would never ally with Russia. The Soviet regime is still fresh in the zeitgeist's memory.
> Edit: but maybe not in Hungary. It's the bad child in EU.
The article suggests that they reported this guy to the police only after the info leaked out (or possibly was independently discovered by others) and made it to the press.
Scapegoating of non-malicious hackers isn't really anything new or unique to Hungary. It's a common reaction of IT-illiterates to people "cheating" on their systems everywhere.
I've reported two vulnerabilities. One to a fairly large web hosting provider that allowed me to access the databases of anyone else on the shared server my website was on. Another to a major credit card company -- Given a person's first and last name I was able to see what kind of credit cards they had.
In both cases, they fixed it, thanked me, no arrests or threats were made. I think your experience is only outside the norm in the sense that you got monetary compensation out of it! Nice!
In hindsight it was a huge risk and I was dangerously trusting.