But the bug bounty policy was very clear on all of this and this extortionist never concealed his intentions. And all this text can come up with is "what if we loop in even more people". Indeed this description made it very clear that the existing processes were intentionally subverted; what can more processes do for avoiding that when it happens by decision of the CSO and CEO?
An example of a complicating factor identified by this postmortem is that the CSO was simultaneously a Dep. GC, and was made a DGC in part to facilitate direct reporting relationships with the CEO that ended up short circuiting the normal GC process.
Further factors identified in the postmortem involve responses given to the FTC that weren't properly vetted, but easily could have been by a typical counsel's team.
