Agree - yet, security researchers and our wider community also needs to recognize that vulnerabilities are foreign to most non-technical users.
Cold approach vulnerability reports to non-technical organizations quite frankly scare them. It might be like someone you've never met telling you the door on your back bedroom balcony can be opened with a dummy key, and they know because they tried it.
Such organizations don't kmow what to do. They're scared, thinking maybe someone also took financial information, etc. Internal strife and lots of discussions usually occur with lots of wild specualation (as the norm) before any communication back occurs.
It just isn't the same as what security forward organizations do, so it often becomes as a surprise to engineers when "good deed" seems to be taken as malice.
Maybe they should simply use some common sense? If someone could and would steal valuables, it seems highly unlikely that he/she/it would notify you before doing it.
If they would want to extort you, they would possibly do so early on. And maybe encrypt some data as a "proof of concept" ...
But some organizations seem to think that their lawyers will remedy every failure and that's enough.
> If someone could and would steal valuables, it seems highly unlikely that he/she/it would notify you before doing it.
after* doing it. Though I agree with your general point
Note the parts in the email to the organization where OP (1) mentions they found underage students among the unsecured accounts and (2) attaches a script that dumps the database, ready to go¹. It takes very little to see in access logs that they accessed records that they weren't authorized to, which makes it hard to distinguish their actions from malicious ones
I do agree that if the org had done a cursory web search, they'd have found that everything OP did (besides dumping more than one record from the database) is standard practice and that responsible disclosure is an established practice that criminals obviously wouldn't use. That OP subsequently agrees to sign a removal agreement, besides the lack of any extortion, is a further sign of good faith which the org should have taken them up on
¹ though very inefficiently, but the data protection officer that they were in touch with (note: not a lawyer) wouldn't know that and the IT person that advises them might not feel the need to mention it
Cold approach vulnerability reports to non-technical organizations quite frankly scare them. It might be like someone you've never met telling you the door on your back bedroom balcony can be opened with a dummy key, and they know because they tried it.
Such organizations don't kmow what to do. They're scared, thinking maybe someone also took financial information, etc. Internal strife and lots of discussions usually occur with lots of wild specualation (as the norm) before any communication back occurs.
It just isn't the same as what security forward organizations do, so it often becomes as a surprise to engineers when "good deed" seems to be taken as malice.