The university’s response really doesn’t surprise me. Such reports make bureaucrats defensive, and it’s typical to want to slay the messenger. There is a history of messenger-slaying in cybersecurity. Look up Randal Schwarz for a notorious case. The bureaucrats only respond positively if they’ve already established a procedure for responding positively, like a published bug bounty policy.
If I understand the original vulnerability correctly, I see why DePauw didn’t worry about it much. As a security person, I’d want to make sure that such carelessness isn’t applied to confidential student records. It seems likely, since a similar vulnerability exists in student scheduling.
It’s like squishing an insect. You can squish ants and get away with it. Squishing a hornet can make a whole nest angry.
Here’s my own ‘security assessment’ on the original vulnerability — it’s no big deal because the stakes are so low. If I followed this correctly,
- The attack isn’t available to the general public, only to people logged in to the DePauw system.
- The attack provides credentials for physical access to individual mailboxes, which reside on the DePauw campus.
- DePauw logs all transactions to retrieve mailbox combinations.
Should this vulnerability exist? No. Is it worth a lot of engineering to fix? That’s a matter of opinion. If it’s an ant, ok. But this seems to reflect deeper flaws in how the university protects student data. Squishing a hornet.