|
|
|
|
|
|
by glloydell
2456 days ago
|
|
|
Sharing the dataset with the full email list instead of individually sharing his results with each person on the list definitely toes the boundary, but given that the parents are going to be the drivers of change in this situation I'd say it's reasonable. If you were in the same position as the author, how would you handle disclosure? |
|
|
(Note: I shortened your quote, and the shortened bit does not give your intent. But it's the part I want to respond to. Other readers should read OPs full text.) The drivers of change with regards to the Equifax leak was the voting populous of the United States- I image if the Equifax hacker sent the credit reports of everyone compromised by the leak to everyone compromised by the leak and claimed to be an honest security researcher, it wouldn't have gone well.
> If you were in the same position as the author, how would you handle disclosure?
The author mentioned having the contact information of the legal council of the school. Send an email to them saying that email addresses are PII and they shouldn't be widely distributed. Escalate from there. If they ignore it, send a spreadsheet of names, email addresses, and facebook accounts to the lawyer. If they ignore that, start digging, send more - anyway, the point is, start at DEFCON 4 and work your way up, don't immediately step to DEFCON 2. In this case, where the solution is to paste into the BCC box instead of the TO or CC box, a 30 day window ought to be sufficient, but a zero day window is completely unacceptable.