report a security hole? you must be a criminal

Posted on: Mon, 01/13/2014 - 13:32 By: Tom Swiss

At least the cops didn't follow up on it, but the idea that a company would call them in the first place in such a situation is ludicrous enough.

Teen Reported to Police After Finding Security Hole in Website | Threat Level | Wired.com (Threat Level)

Rogers says he contacted the site after Christmas to report the vulnerability but never got a response. After waiting two weeks, he contacted the newspaper to report the problem. When The Age called the Transportation Department for comment, it reported Rogers to the police.

...

The practice of punishing security researchers instead of thanking them for uncovering vulnerabilities is a tradition that has persisted for decades, despite extensive education about the important role such researchers play in securing systems.

...

Update 1.9.14: Rogers confirmed to WIRED that the vulnerability he found was a SQL-injection vulnerability. He says the police have not contacted him and that he only learned he’d been reported to the police from the journalist who wrote the story for The Age.