Summary
On October 17, 2025, I identified — through passive OSINT research — a publicly accessible document related to NASA’s CORAL (Coral Reef Airborne Laboratory) project containing FTP URLs with embedded credentials in plain text. The finding was responsibly reported through NASA’s official Vulnerability Disclosure Program (VDP) hosted on Bugcrowd.
The issue was acknowledged, validated, and fully resolved by NASA in under seven days, and I received an official Letter of Appreciation recognizing the contribution to the security of NASA systems.
Methodology:
Total time from submission to resolution: less than 7 days.
While no exploitation was performed, the exposure of plaintext FTP credentials in public documentation could have led to:
Following the report, the NASA/JPL team:
This finding was obtained exclusively through passive, open-source methods.
No authentication attempts, exploitation, or data access were performed at any stage.
All credentials and sensitive information were redacted before sharing with Bugcrowd or NASA.
The goal of this disclosure is to highlight the effectiveness of responsible reporting and collaboration between researchers and government agencies.
It demonstrates that responsible, ethical OSINT can identify real risks and help secure critical infrastructure — in this case, with a complete validation and resolution cycle of under one week.
Researcher: sanrock
Program: NASA — Vulnerability Disclosure Program (via Bugcrowd)
Status: Resolved
