A recent incident in Bulgaria underscores the major risks security researchers may face as the result of vulnerability disclosure issues. Last week, a researcher named Petko Petrov published a demo of a critical vulnerability in a web portal of a Bulgarian municipality that allows parents to sign their children up for kindergarten. The flaw allowed the researcher to download personal data belonging to 235,543 citizens of Stara Zagora, a province with over 333,000 inhabitants. Since the vulnerable software is also used in other regions of Bulgaria, the data of many more Bulgarian citizens may be at risk.
The researcher explained that he had contacted the municipality and the software developer about the issue, but had received no response. After the video was published, Petrov was arrested by local authorities. While he was released within 24 hours, he may face one to three years in prison and a fine of around $2,900 based on pending charges against him.
Read more: Bulgarian IT expert arrested after demoing vulnerability in kindergarten software