The correct answer you're looking for is: Sell it on the black vulnerability/exploit market. Profit!
On Tue, Jan 22, 2013 at 3:08 PM, Sanguinarious Rose <sanguiner...@occultusterra.com> wrote: > And that is the reason why no one wants to report anything they find, > it's because of people like you and your kind of thinking. > > Did they public post all the private information? > No > > Did they try to use it for malious or illicit purposes? > No > > Did they report it when they found it? > Yes > > A horrible moral compass indeed! Arrest these people for being > concerned and reporting it after stumbling upon security flaws! > Amiright? > > On Mon, Jan 21, 2013 at 8:06 PM, Nick FitzGerald > <n...@virus-l.demon.co.uk> wrote: >> Jeffrey Walton wrote: >> >>> On Mon, Jan 21, 2013 at 5:42 PM, Philip Whitehouse <phi...@whiuk.com> wrote: >>> > Moreover, he ran it again after reporting it to see if it was still there. >>> > Essentially he's doing an unauthorised pen test having alerted them that >>> > he'd done one already. >>> If his personal information is in the proprietary system, I believe he >>> has every right to very the security of the system. >> >> BUT how can he "verify" (I assume that was the word you meant?") proper >> security of _his_ personal details? He would have to test using >> someone _else's_ access credentials. That is "unauthorized access" by >> most relevant legislation in most jurisdictions. >> >> Alternately, he could try accessing someone else's data from his login, >> and that is equally clearly unauthorized access. >> >> He and his colleague who originally discovered the flaw may have used >> each other's access credentials to access their own data, or used their >> own credentials to access the other's data _in agreement between >> themselves_ BUT in so doing most likely broke the terms of service of >> the system/their school/etc, _equally_ putting them afoul of most >> unauthorized access legislation. >> >>> Is he allowed to "opt-out" of the system (probably not)? If not, he >>> has a responsibility to check. >> >> BUT he has no resposibility to check on anyone _else's_ data and no >> _authority_ to use anyone else's credentials to check on his own. >> >> So, what "responsibility" does he really have? >> >> It sounds like he should have left well alone once he had reported this >> to the university and the vendors. That he did not have the sense or >> moral compass to recognize that tells us something important about him. >> >> >> >> Regards, >> >> Nick FitzGerald >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/