It doesn’t happen every day that you receive a letter of recognition from NASA - National Aeronautics and Space Administration, but it actually happened. I received an official acknowledgment for finding and reporting vulnerabilities in their systems.

How It All Started

While browsing the web, I decided to analyze some of NASA’s public servers. Among them, I found some that were vulnerable, so I decided to report my findings to their security team, following their responsible disclosure policy.

I gathered as much evidence as possible to explain to NASA’s security team:

  • Where the vulnerability was located
  • How to exploit it in technical terms
  • What impact it had on their data
  • How to fix it

After double-checking the information, I submitted the report to NASA’s security team, hoping for a response.

NASA’s Response

Within a few hours, NASA’s security team contacted me to confirm the validity of my report, acknowledging that the issue I identified was real and could pose actual risks to their systems’ security. They immediately began remediation operations.

They actively involved me in the resolution process, asking me to collaborate until the issue was definitively resolved. After the fix was implemented, they invited me to retest to verify the effectiveness of the solution, which was successful.

🚀 And then came the surprise: Response message from NASA

The letter roughly says:

“On behalf of the National Aeronautics and Space Administration and NASA’s Vulnerability Disclosure Policy (VDP), we wish to recognize your efforts as an independent security researcher, both for identifying the vulnerability you reported and for following NASA’s VDP policy and guidelines in responsibly reporting it.

The ability to identify and report security vulnerabilities is a valuable skill in the cybersecurity field. Your report enabled NASA to become aware of otherwise unknown vulnerabilities, thereby helping to protect the integrity and availability of NASA’s information.

Please accept this letter as a token of appreciation for your efforts in identifying this vulnerability and in enabling NASA to continue advancing science, technology, aeronautics, and space exploration, with the goal of enhancing knowledge, education, innovation, economic vitality, and stewardship of the Earth. We are all part of the same security community, and your participation and expertise are highly valued.”

What I Learned

This experience taught me that: 🔹 Cybersecurity is a continuous challenge, but also a great opportunity to make a difference. 🔹 Responsible disclosure is an effective way to contribute to global security without causing harm or risk. 🔹 Even a single researcher, from the other side of the world, can make a contribution to high-level institutions.

There are many other organizations out there with responsible disclosure programs ready to welcome vulnerability reports. So, on to the next bug! 😎