[159806] in North American Network Operators' Group
Re: Security reporting response handling [was: Suggestions for the
daemon@ATHENA.MIT.EDU (Suresh Ramasubramanian)
Tue Jan 22 06:27:17 2013
In-Reply-To: <20130122081031.GH31028@hezmatt.org>
Date: Tue, 22 Jan 2013 16:57:04 +0530
From: Suresh Ramasubramanian <ops.lists@gmail.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tuesday, January 22, 2013, Matt Palmer wrote:
> That article doesn't justify security review, it justifies not being a
> complete knob when someone reports a security hole in your site. There are
> so many site vulnerabilities these days that they're not news. What *is*
> news is when the vulnerable organisation goes off the deep end and
> massively
> overreacts to the situation.
>
Report - yes. What this kid seems to have done is - reported it, got
thanked for it. Then went ahead and pentested the site to see for himself
whether the bug was fixed or not. Which justifies the company asking him
to stop I guess - and it definitely justifies the kid's prof chewing him
out.
Expulsion, maybe not, though the article I read said 14 out of 15 profs in
his college voted to boot the kid out.
--srs
--
--srs (iPad)
