[jiggy2011]

Moral of the story: Sanitise your query params.

[JanezStupar]

I think the moral of the story is - whatever you do anonymize your tracks and do not inform the authorities. There is substantial risk and no reward for acting otherwise.

[nowarninglabel]

Having nearly been fired from an university for responsible disclosure, I agree completely, there is substantial risk and no reward for public disclosure of any kind in university environments.

[vertis]

I think there can be reward in some cases. From what petition website says, he's received several job offers.

[JanezStupar]

This is a great comment for ShitHnSays.

[JohnHaugeland]

At real universities, this doesn't happen.

I've seen scholarships handed out over this. But you never hear about those, because nobody's angry.

Hiding responsible disclosure just means you aren't responsible.

[JanezStupar]

Well yes, it can be leveraged. But one needs to be careful about it.

You can't just go talking about it or sending official letters to the administration or the IT department. Personally should I want to disclose something like this I would first approach a maverick amongst faculty staff to test the waters. After consultation with a person with good knowledge of the local political landscape I would discretely relay my knowledge.

But it is still risky and leaving no evidence is still a safe bet.