Security reporting response handling [was: Suggestions for the future on your web site]

Matt Palmer mpalmer at
Tue Jan 22 08:10:31 UTC 2013

On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote:
> This article may be of interest:
> >
> Basically, a Montreal student, developping mobile software to interface
> with schools system found a bug. Reported it. And when he tested to see
> if the bug had been fixed, got caugh and was expelled.
> I the context of this thread, they found a vulnerability in the web
> site's archutecture that allowed the to access any student's records.
> This is the perfect type of incident you can bring to your boss to
> justify proper architecture/security for your web site. "How would you
> react if it was your company's name in the headline ?"

That article doesn't justify security review, it justifies not being a
complete knob when someone reports a security hole in your site.  There are
so many site vulnerabilities these days that they're not news.  What *is*
news is when the vulnerable organisation goes off the deep end and massively
overreacts to the situation.

See Also: First State Superannuation.

- Matt

More information about the NANOG mailing list