Oh, everyone knows that one single person can make things a lot worse. That's all that's happening here. That doesn't say anything about how much one single person can make things better. In the former case, your powers are amplified by the incompetence of everyone else involved; in the latter case, they are diminished.
Given the nature of these systems, this 1 person likely made the day to day lives of a lot of people better, providing an (arguably) snappier web interface to existing systems.
Granted, they've probably made someone's day a lot worse with this discovery, but..
They made the day of a lot of people, making the KCM program available to crewmembers of thousands of smaller airlines.
I take issue with the way that disclosure was implemented here. The responsible thing to do would be to contact the site first, no matter if 1 or 1000 employees.
Then you move forward with FAA, DHS, Etc. Assume that the site will act in good faith and recommend that they take down access until the problem is remedied, then back that up with disclosures and calls for auditing and verification to partner agencies.
Contacting the site first is the only honorable thing to do. It doesn’t mean you wait to contact other agencies, but contacting the site means the quickest halt to the vulnerability and least interruption to service. Disclosing to partner agencies is still required, of course, but hopefully they will be looking at a patched site and talking about how they can implement improvements in auditing the systems connected to the KCM service.
By disclosing in the right order you improve the possibility that organisations will focus on their appropriate role. The site fixes their egregious error and realises that their business depends on being secure, the TSA KCM manager realises that they need to vet access, and the FAA realises that the TSA needs to be supervised in the way that they interact with aircrew access.
Otherwise, everyone might just focus on the technical problem, which will be solved in a few hours or days and then go back to business as usual.
The vulnerability here actually is much, much larger thanSQL injection. It is an inherent vulnerability in the organisational structure and oversight, and this will only be addressed in a bureaucracy if the actual problem is made clear at each organisational level and no red herring excuses that allow finger pointing are provided.
Not to mention it’s a dick move to leave the technical people out of the loop completely in the process of disclosure, even if the disclosure is primarily of a systemic organisational failure.
I’m sure the individual responsible was much more alarmed to get a call from DHS than they would have been to get a call from security researchers, so the given rationale is clearly fictional.
Assume people will act in good faith, but don’t give them room not to. Trust but verify. When dealing with companies and orgs this is the way. When dealing with randos on the internet, not so much.
When things go well nobody notices. I’ve certainly headed off and found/fixed a lot of bad decisions in my career, some of my own included. There was a lot of impact there, and it’s good when it’s invisible!
