I understand the problem, beggars add noise to an important contact signal point…
But this idea that people 'did actually already do the "work" for free' so don't deserve remuneration… isn't great.
Lot's of people do spec work to try and get paid, or to get more work. The recipient is free to negotiate, rebuff or simply ignore it, but this idea that time sunk is valueless is unhelpful.
Not defending "Hammad" here. If you do spec security work you need to lead with what you've got, even if that's just a rough CVE severity rating, and your price. But I think I'd rather have people checking my configuration and taxing me for my errors than not to know at all.
This makes no sense. Imagine someone shows up at your house, paints the fence and then asks you for compensation. They already did the work, but you never even asked for it. The same thing is happening here.
1. Imagine a painter on the street, who made a quick painting of youand your partner in your natural state while being unaware of the process. Then he comes and asks if you are willing to pay and get it to yourself. No, you don't have the right to get it for free only because it was already painted.
2. Imagine that while you are on your walk, a guy comes to you and informs you that your bag was open and some stuff may have disappeared (dropped and/or stolen) from it. He went out of his way to detour and catch up to you (he had to run!) to report the issue. It was voluntary, but it is a good behavior. In physical world that alone should be rewarded (at least with sincere thanks). But if you are not willing to compensate, he has no duty to go spend even more of his time and energy in order to walk back, show you all the places where your stuff dropped and to stay and document all the details for your police/insurance application. He already did you a favor and is not required to put any more effort into it for free. It would be nice, but not a duty; especially because we are not talking about the private person or a hobby project, but about a company business. Discovering vulnerability is one thing, but properly writing and documenting it is a totally another expenditure of time, energy and opportunity cost. It is not free.
lol this actually happened to me. I came home with a note on my door and fixed gutter. Turns out they were supposed to fix someone's a few houses down but saw my house (first on the street). I was going to fix it myself. I called them to let them know I never scheduled anything and ask what was up. We figured it out and I gave them 1/2 of what they would have normally charged after I verified with that neighbor what they were saying was true. It was very reasonable even at full price. I wouldn't have had to pay them a dime, but they saved me some work and time and I sent them a check anyway.
But this idea that people 'did actually already do the "work" for free' so don't deserve remuneration… isn't great.
Lot's of people do spec work to try and get paid, or to get more work. The recipient is free to negotiate, rebuff or simply ignore it, but this idea that time sunk is valueless is unhelpful.
Not defending "Hammad" here. If you do spec security work you need to lead with what you've got, even if that's just a rough CVE severity rating, and your price. But I think I'd rather have people checking my configuration and taxing me for my errors than not to know at all.