Hi, (Mind the English, like my French, its awful) Going from, what seems to be, a non-service impacting XSS scan to expulsion is a bit of a trek. I'm sure there is a big chunk of story missing. Beside, a 20yo is rarely aware of the proper etiquette when it comes to scanning websites and the worst he should have got is a sit down with security experts to explain to him how to go about it in the future. Hopefully, stories like this will provide more incentive to 3rd party software providers to add this type of scan to their Q&A. And train their developers into the art of internet security when it comes to XSS/SQL Injection (see OWAPS/etc). PS: Being in Montreal, too bad someone already offered him a job :( I may have some part-time work for a bright kid soon. ----- Alain Hebert ahebert@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443 On 01/22/13 06:27, Suresh Ramasubramanian wrote:
On Tuesday, January 22, 2013, Matt Palmer wrote:
That article doesn't justify security review, it justifies not being a complete knob when someone reports a security hole in your site. There are so many site vulnerabilities these days that they're not news. What *is* news is when the vulnerable organisation goes off the deep end and massively overreacts to the situation.
Report - yes. What this kid seems to have done is - reported it, got thanked for it. Then went ahead and pentested the site to see for himself whether the bug was fixed or not. Which justifies the company asking him to stop I guess - and it definitely justifies the kid's prof chewing him out.
Expulsion, maybe not, though the article I read said 14 out of 15 profs in his college voted to boot the kid out.
--srs