It's Vulnerable… Now What?: Three Diverse Tales of Woe and Remediation

Presented at Notacon 8 (2011), April 16, 2011, 8 p.m. (60 minutes)

Very few people in IT have the distinction of being considered a "security researcher" by title alone. Despite that designation, many of us run across security vulnerabilities every day and sometimes just go "ah, someone should report that!" rather than taking the initiative to wear the security researcher hat and handle it ourselves. In this presentation I will cover three diverse situations of vulnerabilities that I ran across and how I went about getting them remediated. Situations include: a PII/PHI vulnerability in a SaaS application with 90,000 affected users; an open-source CMS SQL injection vulnerability (CVE-2010-4006); and a client's web site that was riddled with vulnerability from a contractor's poor programming practices. If you've wondered what you as a system administrator, web developer, or general IT enthusiast should do in these kinds of situations, come hear real stories and learn from my actions and related mistakes! Learn about requesting a CVE, contacting vendors, 0-day vs. vendor-friendly disclosure, and more. The presentation will feature code snippets/exploitation of each vulnerability and include screenshots (where allowed) of the situations.


  • Mark Stanislav
    Mark Stanislav holds his Bachelor's in Networking and IT Administration and is currently pursuing his Master's in Network Security - both from Eastern Michigan University. Mark works for a Linux-centric managed services provider near Detroit during the day and teaches Linux courses at EMU by night. His passions are information security, systems administration, cloud computing orchestration, and web programming. In his spare time, Mark runs the information security news aggregation web site