[development] Irresponsible security researcher

Joshua Rogers me at joshuarogers.net
Wed May 13 14:14:39 UTC 2009

I'm not quite sure that giving out his personal information to a group of 
annoyed developers is a good idea.  Something about inciting a riot just seems 
wrong.  We can't force him to play by our rules and see things our way (even 
though his is wrong. ;)

I can say that personally it does cause me to wonder about this "ethical 
hacker."  (It says so on his resume.  Really.)  Personally, by endangering 
those who use the software that he exams, I see him more as a passive-
aggressive black-hat.  And maybe a little over jealous at that. 

http://drupal.org/node/372836 (which apparently he wasn't credited with) 
amounts to "if you let someone administer nodes they can change things."...  
Yes.  Better though was http://justin.madirish.net/drupal6-cck-vulnerability.  
It boils down to 'people with "Use PHP input field settings" permissions can 
run PHP'...  So...  I guess that makes this a un-bug report?  (Maybe an 
"Everything is working like it is supposed to." report?)

At least now I know one less person that I have to take seriously (on a 
professional level.)

J Rogers

On Tuesday 12 May 2009 8:22:08 pm Karoly Negyesi wrote:
> Hi,
> This guy believes in full disclosure so much he discloses everything
> he finds instead letting us fix and disclose. This happened more than
> once. So surely he wont mind if I disclose his mail sent to the
> security list. According to whois, he is
>       Justin Klein Keane
>       1122 Green Street
>       Philadelphia, PA 19123
>       US
>       Phone: 1-215-2320909
>       Email: jkeane at madirish.net
> I will let the creative members of the Drupal community figure out
> ways to express their displeasure with his practice.

More information about the development mailing list