[tastroder]

> Be real.

This is apparently a curious student that discovered a vulnerability and, judging by the way that blog post is written, is unsure how to properly disclose it. If this was your Facebook analogy, they'd have a relatively visible path to disclose that. Here, they have to potentially fear being reprimanded or criminally charged.

Under the premise that yes, granted, all that might technically qualify for some criminal act: The aspect of intent and malice are, imho, important in these discussions and should be for the corresponding laws. They found a vendor negligently handling student data, instead of dumping it somewhere, making a fuzz in the press or using it for something they try to disclose it (at least I'd hope so). It's not like the author abused that data, they tried out a proof of concept to see if access to other users could be gained. Not just out of solidarity that's something we should applaud and shield, instead of branding it as criminal behaviour.

For me this is more akin to past cases of people being reprimanded for trying to change URL parameters that are not sufficiently protected, while I see that it might be a philosophical standpoint rather than a legal one, I think the fine in these cases should go to the negligent company, not some curious individual without malicious intent.