I'm not quite sure that giving out his personal information to a group of annoyed developers is a good idea. Something about inciting a riot just seems wrong. We can't force him to play by our rules and see things our way (even though his is wrong. ;)
I can say that personally it does cause me to wonder about this "ethical hacker." (It says so on his resume. Really.) Personally, by endangering those who use the software that he exams, I see him more as a passive- aggressive black-hat. And maybe a little over jealous at that. http://drupal.org/node/372836 (which apparently he wasn't credited with) amounts to "if you let someone administer nodes they can change things."... Yes. Better though was http://justin.madirish.net/drupal6-cck-vulnerability. It boils down to 'people with "Use PHP input field settings" permissions can run PHP'... So... I guess that makes this a un-bug report? (Maybe an "Everything is working like it is supposed to." report?) At least now I know one less person that I have to take seriously (on a professional level.) J Rogers On Tuesday 12 May 2009 8:22:08 pm Karoly Negyesi wrote: > Hi, > > This guy believes in full disclosure so much he discloses everything > he finds instead letting us fix and disclose. This happened more than > once. So surely he wont mind if I disclose his mail sent to the > security list. According to whois, he is > > Justin Klein Keane > 1122 Green Street > Philadelphia, PA 19123 > US > Phone: 1-215-2320909 > Email: jke...@madirish.net > > I will let the creative members of the Drupal community figure out > ways to express their displeasure with his practice.
