Former pentester here. Though I’m largely sympathetic with Goodwolf, note that releasing actual data is almost always a bad idea. It’s why bug bounty programs have limited scope.<p>The city seems upset that he shared data about ongoing investigations and undercover police reports. Depending on what exactly he shared, it’s hard to fault the city for that. It doesn’t really matter where the data currently exists; grabbing it and handing it off to others is obviously not a good idea.<p>If his goal was to prove to the reporters that such data existed and was available for download, he had many options that didn’t require accessing the data: screenshot the forum posts, send links to the reporters, detail what kind of data was there without actually showing any of it, and so on.<p>Now, if that’s what he did, and the city is still reacting this way, that’s obviously abuse. But it doesn’t seem unreasonable to order someone to stop disseminating data about ongoing investigations to reporters. Would you want your private cases to be more widely spread?<p>I’m really sympathetic to him, because this is an easy mistake to make. Before I got into the industry, I thought that this was white hat hacking; it’s obviously good that he’s spreading awareness about the breach. But <i>how</i> you do it really matters.<p>(Caveat: I worked in the industry for about a year in 2016, so maybe things have changed. But I’d be shocked if distributing actual data from any breach was condoned by anyone who works as a pentester, even today.)<p>> the city says Goodwolf is threatening to publicly share the city's stolen data in the form of a website that he will create himself. Goodwolf previously told 10TV he does plan to set up a website, but it would only allow people to see if their name was part of the data breach.<p>This isn’t the same as setting up a site to see if your password was compromised. It could let anyone type in someone’s name and see whether they’re a witness in a criminal investigation.