Thank you for the response. I’ve heard many of these points from several people and I figured that addressing them might grant some insight.
One of the largest criticisms is that my second round of testing was inappropriate, especially given my reasons. My reason of “the support of the student body and faculty” was meant to address the admin’s reason of angry board members and the idea that the admins were acting with that as their main motive. Additionally, I assumed that this swell in support would sway their opinion on how this should be approached.
I acknowledge that I did not do everything in the 100% correct way. There is also a lot that the university did that was correct. It was hard for me to understand the situation while trying to keep quiet about it because I was so focused on keeping quiet. Now that it is out, I am able to look at this from the larger perspective and recognize my own faults. If I were to rewrite this next week, I would be more critical of my own decisions.
That being said, I would like the takeaway from this post be that those interested in hacking can face these kinds of situations if they’re not careful enough. I also want institutions to learn about these situations and, hopefully, start to act in a more welcoming and open way.
The biggest takeaway is that the details of this should not be hidden from students and should be disclosed, especially with leaked data that is this sensitive.