<p>Hey guys! I’m a huge software/computer science geek. I may or may not have found a gaping hole in the security of Stanford’s website. I’m currently a high school junior and have won a few hackathons. Stanford is REALLY high on my list. The question I have is should I report the vulnerability or will reporting it hurt my chances of being accepted? Or on the flip side, will it help?! 
Any advice would be greatly appreciated. Oh! Also, if I were to report it, who would I talk to? Thanks so much in advance.</p>
<p>^^while you’re at it…why don’t you let Stanford know how you were able to hack into your high school’s computers to change your grades/scores on your transcript…</p>
<p>…while there are many computer whizzes and hackers at Stanford…the ultimate hackers will never divulge or “brag” about their hacking activities especially DIRECTED at academic or government institutions…</p>
<p>…your name will start “popping up” on a future watch list…</p>
<p>…have you heard of the NSA…</p>
<p>…and don’t think Stanford/its affiliates doesn’t have a way to track your email/name back to the source…</p>
<p>…let me remind you about a tragic figure in the annals of hacking elite…a former Stanford student…</p>
<p>[Aaron</a> Swartz - Wikipedia, the free encyclopedia](<a href=“http://www.en.wikipedia.org/wiki/Aaron_Swartz]Aaron”>http://www.en.wikipedia.org/wiki/Aaron_Swartz)</p>
<p><a href=“M.I.T. Cleared in Report After Suicide of Activist - The New York Times”>M.I.T. Cleared in Report After Suicide of Activist - The New York Times;
<p>[One</a> year after his death, Aaron Swartz remains a symbol for Internet activists - NBC News.com](<a href=“http://www.nbcnews.com/technology/one-year-after-his-death-aaron-swartz-remains-symbol-internet-2D11943945]One”>One year after his death, Aaron Swartz remains a symbol for Internet activists)</p>
<p>Not to derail this discussion, but Gravitas, you’ve been an incredibly helpful and informative poster on this website ever since I’ve joined it. That said, your posts are always awfully tedious to read. Please, I beg of you, lay off the ellipses and use actual punctuation.</p>
<p>@beef…I use that style for EFFECT…it’s like poetry and bullet points wrapped into one…</p>
<p>…you can always ignore my “tedious” posts if you want to…amen?</p>
<p>
I disagree. Many major organizations have been quite grateful to learn about vulnerabilities in their websites. For example, Google recently offered $3.14159 million in total prizes for persons that could hack Chrome OS as described at [Google</a> Offers $3.14159 Million In Total Rewards For Chrome OS Hacking Contest - Forbes](<a href=“http://www.forbes.com/sites/andygreenberg/2013/01/28/google-offers-3-14159-million-in-total-rewards-for-chrome-os-hacking-contest/]Google”>Google Offers $3.14159 Million In Total Rewards For Chrome OS Hacking Contest) . Stanford has shown preference towards applicants that win major awards in hackathons and has an annual Stanford vs Cal hackathon , as described at <a href=“http://stanfordacm.com/hackathon/[/url]”>http://stanfordacm.com/hackathon/</a> (note that company names that appear on the sponsors list) . A few months ago a Stanford professor who was known as a computer hacker won the Nobel prize. Hackers have a history of being successful in Stanford’s tech startup culture. Of course Stanford also values moral integrity. The business school once automatically rejected applicants who tried to hack into their admission files. So I’d expect finding a vulnerability in the Stanford website is positive, but trying to exploit that vulnerability to your benefit is likely to get you rejected or worse.</p>
<p>Data…I agree about hacker mentality and startup culture being very strong and valued at Stanford…but I particularly agree with
</p>
<p>Yes, let it go. The first question I’d ask is, “Why were you hacking our site?”.</p>
<p>Considering that in all likelihood every other Stanford student has been admitted without hacking the website, I’d err on the side of caution here. Directing your efforts toward hacking contests/hackathons like the one Data10 mentioned would probably be a better use of your time.</p>
<p>Recognizing a vulnerability is not the same as hacking the website. Some people like to peak underneath the cover and see how the internal tech works, such as looking at the source code of websites instead of just the clicking links. I do this myself from time to time, sometimes even using a program like HTTP Debugger to look at the specific server exchanges or a decompiler. I’ve never done this for nefarious purposes, more a combination of curiosity and wanting to improve skill/knowledge. I have no idea how far brown210 had to go to identify the vulnerability, but it may be far from what most would call “hacking.” </p>
<p>As a website owner, I’ve always been quite grateful when others have contacted me about security weaknesses or ideas for bug fixes. It has never even crossed my mind to even ask why they were looking at the internal code. Assuming Stanford doesn’t already know about the problem, I’d expect some groups at Stanford to be grateful since they’ve have had at least 2 serious hacks in the past year. I realize for a Stanford applicant, it’s a risk that could turn out positive or turn out negative, but it’s definitely a way to stand out, which is important with a 5-6% acceptance rate among a pool of highly qualified applicants.</p>
<p>Find the head of the Computer Science department on their website. Send him/her an email asking about ethical hacking and should someone report vulnerabilities. This can lead into you explaining that there are some known vulnerabilities with versions of java, apache or whatever you discovered. Asking about the ethics of helping find exploits can lead into a conversation where you “help” them by saying “I strongly recommend you look at the version of X that you are running because I discovered that version has the following vulnerabilities.”</p>
<p>“Oh, and btw, I’m a high school candidate very interested in Stanford.” Developing a relationship with a Stanford professor who can write a letter of recommendation would be worth a lot.</p>
<p>As someone in the tech field, I agree with a few posts about how you should proceed. You should be very humble and helpful otherwise you come off as a punk who spends their time attempting to hack university computers. Very delicate balance and it’s all in your delivery. Seek some adult advice from people you trust before you proceed. </p>
<p>And again, humbly present your findings or it could go south really quickly.</p>
<p>Thanks for all the suggestions, everyone. I will be certain to be humble and cautious in my wording.</p>
<p>
</p>
<p>A “hackathon” is an event in which participants work together to cobble together software (or sometimes hardware) systems, generally to accomplish a certain goal in a short amount of time. In this context, “hacking” describes the process of creating and has very little to do with cyber security.</p>