Last month, around Christmas, a sixteen-year-old Australian named Joshua Rogers living in Victoria told the Transport Department that its Metlink website was exposing the sensitive details of over 600,000 transit users, including "full names, addresses, home and mobile phone numbers, email addresses, dates of birth, and a nine-digit extract of credit card numbers."
He waited two weeks, but after he had not heard from Metlink -- and as the data exposure was ongoing -- he went to the national newspaper The Age, who called the Transport Department for comment. Whereupon the Transport Department called the police, who arrested the teenager.
It may be that the mistake that exposed all this sensitive data was an "honest" one -- after all, there's no experimental methodology for verifying security apart from telling people what you're doing and asking them to poke holes in it. Security is a process, not a product.
But that means that anyone who keeps sensitive public information on hand has a duty to take bug reports about vulnerabilities seriously, and to act on them quickly. Killing (or arresting) the messenger is absolutely unforgivable, not merely because of the injustice to this one person, but because it creates a chilling effect on all future bug-reporters, and not just for your service, but for all of them.
The Transport Department hasn't only unjustly punished an innocent person; it hasn't only weakened its own security; it hasn't only failed in its duty to its customers -- it has struck a blow against the very idea of security itself, and harmed us all. Read the rest