Julien Ahrens

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

The University of Salzburg refuses security reports

27 Jun 2012 » Coordinations

Have you read one of my last articles regarding webmasters ? The university of Salzburg didn’t or at least didn’t want to.

In April I tried to contact the internal university IT staff about a possible Cross-Site Scripting security flaw on their main website, but got no answer (beside the auto-response from their helpdesk system).

After a few retries - well only 3 mails (I’m a really tough spammer!) -  to the same ticket system where my first notification was sent to (using my ticket number as a reference), I’ve suddenly received an answer from one of the helpdesk operators, but his response wasn’t very eligible at all: “We never asked for your services so please stop spamming our ticketing system.”  Slightly annoyed I decided to send an email to their CIO asking about the reasons why the University refuses such kind of confidentially reported issues….but I have not received an answer until today.

The bad thing about this ? Damn, it’s a university! A university should be able to handle such kind of information with caution. They have to behave like a shining example for all of their students!

At this point I would like to thank the German Media Press-Team of www.gulli.com for their help. The full press article can be found here. (but be careful, it’s in German ;-) )!