<p>Recognizing a vulnerability is not the same as hacking the website. Some people like to peak underneath the cover and see how the internal tech works, such as looking at the source code of websites instead of just the clicking links. I do this myself from time to time, sometimes even using a program like HTTP Debugger to look at the specific server exchanges or a decompiler. I’ve never done this for nefarious purposes, more a combination of curiosity and wanting to improve skill/knowledge. I have no idea how far brown210 had to go to identify the vulnerability, but it may be far from what most would call “hacking.” </p>
<p>As a website owner, I’ve always been quite grateful when others have contacted me about security weaknesses or ideas for bug fixes. It has never even crossed my mind to even ask why they were looking at the internal code. Assuming Stanford doesn’t already know about the problem, I’d expect some groups at Stanford to be grateful since they’ve have had at least 2 serious hacks in the past year. I realize for a Stanford applicant, it’s a risk that could turn out positive or turn out negative, but it’s definitely a way to stand out, which is important with a 5-6% acceptance rate among a pool of highly qualified applicants.</p>