What are other places can someone report a vulnerability that will get companies to actually listen and fix the issues reported? Is there a Google Project Zero for the rest of us?
It's a bit off-topic for the larger discussion of this bug, but how come?
Is this just a case of ‘Nobody ever got fired for choosing Blackboard’?
I would say it's more a case of "Nobody ever got fired"
As a former high-school hacker, I routinely reported major holes to District IT. No one gave a damn. Only once I started poking around private financial data did they raise hell, and even then it was "Show us what you have, tell us how you did it, and we'll let you walk. Otherwise we'll get the police involved."
Handed over my laptop, the IT guy managed to play some Rammstein accidentally but otherwise found nothing of note. I was banned from bringing, touching, or even being near a computer, my assigned seating was moved in all classes directly to the front, and that was that.
Kept in touch with a few of the tech-interested Freshman I knew during my Senior year, nothing was ever patched, nothing changed over the ensuing years. The exact same exploits I informed them of were not touched.
There is simply no culture of accountability.
What I didn't know is that I would pick a random address that would knock off one of the higher ups net. Let me tell you, they did not like that one bit.
I came back one day to my room mate saying that they raided my room trying to get into my pc. I ended up walking into the Dean's office of student Life and ended up explaining how I got back online. The head of IT didn't believe me saying you couldn't change your IP by changing your Mac address let alone that changing your Mac address was even possible. I didn't even bother trying to prove it. Mind you they also printed out like 200 pages of IRC logs.. I kept that open all day while in class so who knows what it captured.
In the end I got the Kevin Mitnick treatment and they prevented me from using my dorm net as well as any campus PC.
I just got a long cat 5 cable and ran it into the other room. What was odd was they were ok with letting me do my work study which gave me access to the school website. I guess they rather let me do that then fool around with other stuff.
Some time back, I found multiple critical vulnerabilities in the most used school database system in the Czech Republic. The whole software is a mishmash of native Windows apps in Delphi and Visual FoxPro and an ASP.NET web interface built in a combination of VB, C# and WebForms. The desktop apps access MS SQL Server directly and security seems to have been done by a very uninformed person (the functionality is only a little better).
I first told my school's network admin, who contacted the developers, who fixed the issues relatively quickly. Everything went relatively smoothly for me, but I know this depends mainly on the individual people involved.
In university where they still had HPUX I asked the IT department if I could get printer credits in exchange for exploits I report and he immediately got angry saying I should be proud to report them.
Needless to say I ended up not reporting anything and just keeping them to myself. Thinking back I guess reporting it somewhere(maybe not in school) could have gotten me more opportunities, but who knows. I kinda wish there was some sort of mechanism to push people to make something out of their talents instead of suffocating them.
There's no incentive for one to give a damn, and we can't rely on good IT to be present in any given organization.
To contrast I was arrested and sent to county jail, charged as an adult on a "distrubing the peace" style charge, by the same school for telling an administrator, in-private, to fuck off in response to a punishment levied without being told what I had actually done.
The lesson that many in positions of authority are petty-minded fools is a valuable part of your education.
Senior year they got some software that would allow a teacher to monitor all classroom computer screens thus precluding our being able to play anymore. So the same buddy of mine behind the Counter-Strike copies made a wallpaper that was a screenshot of all kinds of infosec tools, WireShark, MetaSploit, etc.
They didn't like that one either.
Who knows, maybe they were just running a honey-pot pretending and pretending to be outraged.
Sadly I believe it is. My school recently moved off Blackboard for Canvas after at least ten years. While some teachers were relieved to move to a more modern system that supposedly offers them a better experience (it certainly offers students a better experience), many teachers rejected it as they did not want to learn a new system. My older instructors hardly ever post to Canvas besides updating grades saying they just don't want to learn it.
Luckily for whoever setup Canvas at our school I don't think they will get fired over it, but the resistance from staff makes me understand why other schools would feel hesitant to switch off Blackboard.
After reporting it, they thanked me and said they would be in touch when they addressed it. I never heard from them again, and it seems they didn't take security much more seriously.
The VP responded pretty quickly, forwarded my email on his people, and I wound up getting some free miles.
I was kinda surprised to learn how easy it is to get most corporate email addresses through this experience.
So - someone is lying. Isn't lying about the extent of a security breach a fairly serious matter? Blackboard operates in the EU. Is the disclosure portion of the GDPR retroactive?
Of course - I'm not making any presumptions about which of the two parties is a liar!
Sakai and Canvas seem easy enough to setup that I can't imagine Blackboard can continue making money for much longer.
There's another system called LON-CAPA (written in Perl) that seems ancient compared the other competing systems. It was very easy to use and "just worked" but it felt like it was straight out of the Web 1.0 era.
That test LMS became the LMS for a few major airlines and a large fortune 50 company (uplifted through a few software shifts). It lasted for more than a decade before being replaced by an "Enterprise" solution, I think it was Blackboard (took 2 years to get it setup right, and people in the know still don't like it.
Blackboard has a lot of useful features built up over the years, and they're not all bugs.
People need a reason to change the software they use; when it means retraining a district full of teachers then the reason needs to be good.
The problem is that the market is next to impossible to get into. They're like Photoshop - they've got an army of people trained in using their super complex UI. It's the de facto standard in the market; they've built a massive moat which will be extremely hard to get past.
Sometimes, unfortunately, you can get away with a worse product and better marketing!
Back when I was a SE student, we wrote an application for our university that students could use to access their examination schedules without having to look through the Blackboard calendar.
Which was so much better, because you did not have to log in and it was faster than going through Blackboard's UI...
Canvas is the new kid on the block. Even Canvas has issues though so it’s great as a replacement for Blackboard, but there’s still plenty more that can be disrupted and improved.
But the big plus: Open Source and completely free to self-host
My highschool's records were similarly unsecured - I got a surprising amount of read-only access (including how much money was on students' IDs for lunch), but couldn't change anything.
In the "good" old days (some of us will recall mind you), those in power ($) controlled all information flow. We now have (though not as strong as I would like it) outlets in which an individual, without corp sponsorship, can have their voice hosted and maybe heard. This is a vast improvement.
those in power ($) controlled all information flow.
...replace '$' with 'knowledge (of bugs, etc.)' and that would be more accurate.
He presented his findings at Defcon, pretty standard operating procedure these days. Instead of pretending bugs are rare and hard to find we're becoming more accepting that bugs will be found and allowing people to responsibly disclosing them is the best way so far.
Regardless of their motives, their (responsible) disclosures generally benefit the users of the software. Also, it's work and seems fair to compensate them. Some of these bugs are not shallow and it takes a remarkable amount of patience and talent to find them, so in some cases they really are good and deserve some recognition.
It's like everyone is looking for approval, and in more public settings.