Jeremy Kirk reports:
An Australian teenager who notified a public transport agency of a serious database flaw is under police investigation.
Joshua Rogers, 16, of Melbourne, found a SQL injection flaw in a database owned by Public Transport Victoria (PTV), which runs the state’s transport system.
The flaw allowed access to a database containing 600,000 records, including partial credit card numbers, addresses, e-mails, passwords, birth dates, phone numbers and senior citizen card numbers.
A PTV spokeswoman said Friday police were notified as a “matter of process” because of the breach. She said she could not comment if PTV wanted to see Rogers prosecuted.
Read more on TechWorld.
This is the kind of stupid response or policy that discourages people from reporting vulnerabilities. The investigation should be about verifying and closing the vulnerability as the first priority, and then determining why the teen’s attempts to notify them through their own channels failed and left him no choice but to go to the media.