What happens when a friendly ethical hacker warns companies of their vulnerabilities?

A. The companies don't care because they’re answerable to no one

B. The companies ask him to mind his own business and quietly patch their servers

C. The companies can get the ethical hacker prosecuted (instead of rewarding them)

D. All of the above

In the last seven days, we've got a flavour of this. French hacker Elliot Alderson wrote a Twitter thread on how he gained access to
state-owned BSNL's intranet and got hold of details of over 47,000 employees. A few days before that, Reddit user always_say_this showed the vulnerability of servers belonging to Truecaller Pay and Tata Sky. In fact, the white-hat hacker had stumbled upon 6000 such potentially vulnerable servers from around the world. When he pinged 30 Indian CEOs, some 10 of them replied, and the others quietly patched their servers.

Unguarded servers are a threat to businesses and their customers. In 2017, out of 978 million people who fell victim to cybercrime, 186 million were from India who lost $18.5 billion. That's humungous.

Security breaches have become frequent, yet most companies take it easy. Worse still, ethical hackers who inform companies about their vulnerability risk getting prosecuted, a big reason why "hacktivism" hasn't picked up in India.

Companies believe in security by secrecy. Many fail to realise that they are constantly subjected to hacks, and not having an incentive to disclose breaches only keeps them in the dark. Until someone decides to put the findings up for sale.