infosec4breakfast

Vulnerability Whistleblowers Being Punished... Not the Greatest Idea

Seriously?

I stumbled across this today at work: Montreal student expelled for being a whistle blower on school software flaw, students’ union calling for reinstatement. Not only did he disclose the vulnerability but wanted to help fix it. Do you know what would happen in the security world if everyone got arrested for responsible disclosure? It wouldn’t happen, you wouldn’t get your patches (for the most part) and bad guys would be exploiting your vulnerabilities indefinitely.

Hitting Close to Home

I’ve actually endured a similar experience, however, I was given the advice to conduct my forthcoming actions in an anonymous manner, which I took accordingly. I can’t give details of the events, but I can say that I’m very disappointed in institutions and organizations take on someone disclosing vulnerabilities to them responsibly.

What if he went the other way? How would this have turned out? If he’s smart enough to find the vulnerability, he is sure smart enough to make off with the data anonymously, and not even have the vulnerability patched after the fact, leaving data completely exposed to the wild west of the internet.

This was a short post, but just wanted to get that off my back. More to come :)

-Josh