[jsvcycling]

A good friend of mine got suspended for a semester after he found a pretty trivial flaw in his university's password reset form that would ultimately allow him to reset the password of anyone who had an account on the school's network including faculty and administrators. IT discovered him, locked him out of the network before he was able to report it, and threatened to take legal action. From what I've heard, they never fully fixed it. He went to a technology university mind you.

[Kirby64]

I found a blind SQL injection in my university course management system. Probably could have dropped the entire campus course list... but I didn't try. Found it at ~2-3AM, and so figured I'd bother IT in the morning. Woke up to a locked account and a message from the dean of students to pay him a visit.

I got off with some stupid fine and my online access being locked for 30 days. Was pretty annoying though, because they counted the 30 days only during when school was in semester. I happened to be doing this the final day of the semester... so that 30 days ended up being a lot longer.