Most of the work I write about here starts with an internal alert. Something fires, I investigate, I contain. March 25th was different. The notification came from outside, from an independent researcher named Eduard Vasile who had found an open directory listing on one of our public-facing servers and did the right thing by reporting it instead of doing something else with it.
What He Found
The server in question had a publicly accessible directory that shouldn’t have been. Inside it were two archive files, 149MB and 67MB respectively, that had apparently been sitting there since 2023. Two years of exposure on a public-facing server, no authentication required to access them.
The potential contents of those archives were the immediate concern: student records, source code, database credentials, configuration files. Any one of those would be a problem. The combination of all of them would be significantly worse. The researcher stated he had not downloaded the files, which is consistent with responsible disclosure behavior, but “stated he had not” and “confirmed he had not” are different things, and the investigation had to proceed accordingly.
Initial Concerns and FERPA
The potential contents of those archives drove the initial severity assessment. Student records, source code, database credentials, configuration files. Any of those would trigger FERPA considerations and potentially reporting obligations. The Family Educational Rights and Privacy Act governs how educational institutions handle student education records, and a two-year exposure window on a public server is exactly the kind of thing that requires careful assessment.
The key questions: what was actually in those archives, who had access to the directory during the exposure window, and whether there was any evidence of access beyond the researcher’s report. Web server access logs for the directory path were the starting point.
The Response
The directory was secured and the files were pulled from public access immediately. The relevant internal department was contacted. Eduard was kept in the loop throughout. Responsible disclosure is a two-way street. A researcher who takes the time to find something, document it, and report it rather than exploit it or sell it deserves a professional response and timely communication. That’s not just courtesy, it’s how you encourage the behavior you want from the security research community.
What the Investigation Found
After reviewing the actual contents of the archives, the outcome was better than the initial concern suggested. While data was present in the directory, no truly sensitive data had been exposed. No student records, no credentials, nothing that triggered regulatory reporting obligations.
That’s the best-case resolution to this kind of report. The exposure window was real, the vulnerability was real, and the response was still necessary. The difference between “this turned out fine” and “this turned out to be a significant breach” was largely luck and the fact that the right data hadn’t ended up in that directory. A useful reminder that the severity of a misconfiguration isn’t only about what was there. It’s also about what could have been.
The Researcher
It’s worth saying directly: Eduard Vasile did the right thing. Finding an open directory on a public server and reporting it to the institution rather than downloading the contents and walking away with them represents exactly the kind of behavior the security community benefits from. Not every researcher makes that choice, and the ones who do deserve acknowledgment.
If you find something on a system you’re not authorized to access, report it. The responsible disclosure process exists precisely for situations like this one.
This writeup describes an incident at a large institution. Identifying details have been generalized where appropriate. The researcher’s name is included with the intent to credit responsible behavior.