Security reporting response handling [was: Suggestions for the future on your web site]
mpalmer at hezmatt.org
Tue Jan 22 08:10:31 UTC 2013
On Mon, Jan 21, 2013 at 11:23:16PM -0500, Jean-Francois Mezei wrote:
> This article may be of interest:
> > http://arstechnica.com/security/2013/01/canadian-student-expelled-for-playing-security-white-hat/
> Basically, a Montreal student, developping mobile software to interface
> with schools system found a bug. Reported it. And when he tested to see
> if the bug had been fixed, got caugh and was expelled.
> I the context of this thread, they found a vulnerability in the web
> site's archutecture that allowed the to access any student's records.
> This is the perfect type of incident you can bring to your boss to
> justify proper architecture/security for your web site. "How would you
> react if it was your company's name in the headline ?"
That article doesn't justify security review, it justifies not being a
complete knob when someone reports a security hole in your site. There are
so many site vulnerabilities these days that they're not news. What *is*
news is when the vulnerable organisation goes off the deep end and massively
overreacts to the situation.
See Also: First State Superannuation.
More information about the NANOG