The work related to my previous post was done in a class at the University of Illinois – Chicago. Considering that I am against vulnerability discovery and have also spoken out about courses that teach virus writing (not my favorite quote, btw), one might also assume that I am against this activity.
Yet I can’t bring myself to condemn this. In fact, on the whole it seems useful, even beneficial. I guess the difference is that there are a set of constraints around where to look (a bit broad) and the goal is to teach better software development, ultimately. As well, within the constraints of this class, it is likely that you can have more control over how the whole disclosure process is managed.