Next time you should exploit a vulnerability, remove the coins and make it public. It will let you collect a good bounty, increase your profile and get hired as a consultant by some company and expose blockchain which will keep the public warned about using it.
That would be gray hat. I am white hat.
I had the opportunity to take all of the money johoe did significantly before he even realized it was an issue. It wasn't my place to go saving anybodies coins, it was if anybodies it was blockchain.info's. I don't know the legality of what joehoe did, as far as I could justify in my head at the time even though it was a "good" act, it would still be breaking my countries law. During the event I asked blockchain.info for permission to sweep the money and return it to the company, but they didn't respond in time.
You should not stop looking for vulnerability, youre doing a good service to Bitcoin and the general user who is unaware of Blockchain.info's incompetence.
Responsibly reporting even ridiculously critical bugs isn't financially sensible for me with this company.
How many people lost coins in this? Weren't they refunded? Even if they weren't , look how many people lost BTC and how much in fresh thefts like MintPal. By any criteria BC.i is very small, far away from #1 place.
You would do well to look at potential for disaster. Blockchain.info likely holds high double digit percentages of all Bitcoin in existence. It's possible they own some of the most valuable servers in the world as unlike an exchange they can't use a cold/hot storage system. It's all hot, all internet connected, all the time.
