Home / Cyber Crime / Boy’s responsible disclosure turned wrong

Boy’s responsible disclosure turned wrong

Here is another case that those who are into “responsible disclosure” must not mess on confidential data from a system without the owner’s consent.


A Schoolboy, 16 years old Joshua Rogers found a common web application flaw in Public Transport Victoria website containing a large personal data – Australia.

Now, part of his described “responsible disclosure” as a security researcher, he contacted PTV but got no response up until Monday according to a report by BrisbaneTimes.

The report added that the database dig by Rogers contained a large amount of personal data including full names, addresses, home and mobile phone numbers, email addresses, dates of birth, seniors card ID numbers, and partial credit card numbers of customers of the Metlink public transport online store.

It turns out, PTV reported the ‘considered’ security breach to authorities .

‘‘Victoria Police has received a report from Public Transport Victoria relating to the unauthorised access to their network. As the matter is currently under investigation we are not in a position to comment,’’ a spokeswoman said.

PTV further said that the boy illegally accessed one of its database.

Phil Kernick the chief technology officer of cyber security consultancy CQR stated, ‘‘[Rogers] wasn’t authorised by Public Transport Victoria to do this testing, but he didn’t make the data of all of the users of PTV available, they did,.’

About Clifford Trigo

I am Clifford Trigo a proud Boholano / Pinoy / Filipino Web App Security Researcher. Day by day, I'm learning new things :)) Visit my Hackerone Profile, currently at top 2 overall :D