This past week I had opportunity to write about a story which involved one Joshua Rogers, 16, from Melbourne Australia. He discovered a security issue with Public Transport Victoria.
As I was in the back of a taxi heading to the airport I had the opportunity to ask Josh a series of questions via email pertaining to the incident.
Dave Lewis (D): What were you doing at the time that caused you to stumble on this exposed database issues?
Joshua Rogers (JR): Checking whether or not transport was free on Christmas day. I had heard on TV something about it, so checked it out.
D: What tools were you using?
JR: When actually exploring the database structure, SQLMap.
D: How did you go about informing PTV and what was their response? Did you contact them directly?
JR: I emailed 13 of their employees that were somehow involved in the IT department, and their official it-support email.
The only response I got was after the original reporter, Adam Carey, contacted them saying it would be in the newspaper.
D: What was your reaction when you heard that PTV had referred the matter to the police?
JR: I was unsurprised. I actually thought it would happen from the start.
They are trying to push away the fact that they are at fault, and try to put the blame on me. When in fact, they're to blame, and I've done nothing wrong.
D: Have you been contacted by the police? If so, what has transpired since we last chatted?
JR: No. Nor have I been contacted by PTV telling me that they've reported me to the police. I've only heard things through the newspaper.
D: Do you have legal representation?
D: Has this experience soured or strengthened your resolve?
JR: No change, probably.
D: How would you handle disclosure in the future?
JR: No different. The reason I went to the press regarding this, was that PTV looked as if they didn't care.
Even now, they haven't contacted any of the 600,000 people affected.
The 600,000 people _I saved_ have a RIGHT to know that their data may have been compromised through PTV.
Of course this is the perspective of Rogers. To serve as a counterpoint to this story I had the opportunity to speak with Zach Lanier from Duo Security. He had this to say, "In the last few years the computer security industry as a whole certainly has moved in lockstep toward at least a better understanding of disclosure, but unfortunately that doesn't extend to every industry."
As to PTV's handling of the disclosure Lanier had to this say, "The kind of chilling effect that the Victoria Transportation Department has recalled by virtue of reporting Joshua Rogers' report is counterproductive -- it doesn't disincentivize anyone from discovering and exploiting vulnerabilities in the department's systems, but rather the disclosure of those vulnerabilities. Regardless of their stance on vulnerability disclosure, they should consider (and be thankful for) Rogers' attempt at 'responsible disclosure'."
And what of responsible disclosure? Lanier offered this, "The increase in bug bounty programs and brokers is a welcome outlet for the fledgling security researcher looking for help (and a kickback) for coordinated disclosure, but these initiatives don't yet account for anyone who falls outside of an OEM, software vendor, or service provider. There's a significant need, then, for non-partisan and, perhaps more importantly, non-commercial entities who can broker the vulnerability disclosure process between security researchers and non-vendors (or at the very least guide researchers who are inexperienced in this capacity)."
I will follow this story and update if there are any further developments.