Kurt McKee

lessons learned in production


Hey there! This article was written in 2007.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

Reporting vulnerabilities to Northwestern

Posted 23 January 2007 in disclosure, northwestern-university, security, and vulnerability

I reported a vulnerability to Northwestern once, and I did not feel it was received very well. There were a few interesting emails back, but most of the emails could be condensed to just "You didn't handle this correctly" and vague emails that felt as if the person was talking to me through a big, fake grin, fangs bared. I appreciated the emails from several people who expressed thanks for reporting the issue, but those were guarded and usually included concerns about repercussions.

Despite my fears, I'm pleased to say that the vulnerability was dealt with quickly. However, only about 40% of the vulnerability was dealt with : a trivial fix was put into place that doesn't solve the entire problem. I could certainly send another email, but if it's not made public I doubt it will be dealt with very quickly. I doubt it will even be viewed as a situation to be dealt with.

I'm writing about this because I have found several more flaws in the software that runs on Northwestern's domain. I don't know if they're exploitable yet, but they have the potential to be. I'm also writing about this because Bruce Schneier had a blog entry today, entitled "Debating Full Disclosure", and it reminded me that I need to decide whether to just keep my mouth shut or report the things I think I've found. Up until now I've ignored the situation, always remembering that reply that made me fear contact from Northwestern's legal department.

Hopefully one day I'll be able to publish what I've uncovered; it sure was fun to find, and I felt quite clever at the time!