Over the years we've seen so many stories of the messengers
being blamed for finding security holes that you would think that most folks would realize how dangerous it is to do so. After all, that just encourages those who find security holes to keep quiet
resulting in huge security vulnerabilities left wide open
for those with malicious intent to exploit. However, what happens in cases where someone alerts those responsible for the flaw, but also is exploiting the flaw in some way? Do the lines get blurry?
For example, there's a story making the rounds about a 15-year-old student who has been charged with various crimes
after accessing data on school employees. Apparently the school misconfigured its servers, meaning that plenty of students could have gotten access to the file. What's unclear, however, is the student's motive. In the article linked above, it just says that one of the two students who accessed the data "alerted the principal" of the security hole, sending a semi-anonymous email signed from "a student." However, the kid was quickly tracked down and promptly arrested.
On reading that story, it certainly sounds like yet another case of "blame the messenger." But it's not clear if that's really accurate. A local newspaper's version of the story is somewhat different, where it's claimed that the "alert" to the principal was the student sending an email saying "look what I have"
as if he were gloating -- rather than alerting the school to a security breach. The police officer involved in the case also claims that the kid "was looking to profit from his criminal act." There aren't any details provided to back that up, but it certainly sounds like there may be more to this story than just a kid alerting officials to a security breach.