It's something that will be ongoing for the rest of our lives. Software is so incomplete. We have billions of lines of code right now in all kinds of applications, especially operating systems, that it's almost virtually impossible to.... Because the competition is very strong in the market, the companies just push out the software incomplete as it is and they just say they'll fix it as we go. This is one of the reasons we're getting these kinds of findings once in a while.
By an engineering analysis, people back at the company would say, well, nobody will think about doing that. But guess what? In the real world, we have people who are just doing whatever they seem interested in finding out. And, yes, by accident, they find these vulnerabilities, as we call them today. Should they be disclosed mandatorily? Of course.
The youngster and his parents went on to disclose it, and lawfully. They didn't want to exploit the situation; they just wanted to report it, and they even got turned down by the company.
Certainly I agree with you on this. There should be a law that says to a company that whenever someone comes to them, listen to that person, or whoever the party is who is bringing you the information, and act upon it promptly. If not, the company should be fined.