Summary by sanrock
Responsible Disclosure Report — NASA VDP (Resolved)
Public Exposure of FTP Credentials in CORAL Mission Document
Executive Summary
On October 17, 2025, I identified — through passive OSINT research — a publicly accessible document related to NASA’s CORAL (Coral Reef Airborne Laboratory) project containing FTP URLs with embedded credentials in plain text. The finding was responsibly reported through NASA’s official Vulnerability Disclosure Program (VDP) hosted on Bugcrowd.
The issue was acknowledged, validated, and fully resolved by NASA in under seven days, and I received an official Letter of Appreciation recognizing the contribution to the security of NASA systems.
Scope and Methodology
- Scope: A public document (PDF) hosted on a third-party public storage service that included FTP URLs with user:password combinations.
Methodology:
- Discovery via passive open-source intelligence (OSINT) search queries.
- Manual review of public materials without any authentication, exploitation, or data extraction.
- All evidence was properly redacted before submission, following the responsible disclosure policy of NASA’s VDP.
Timeline
- October 17, 2025: Discovery and submission of the vulnerability report to NASA via Bugcrowd.
- October 17–22, 2025: Validation by Bugcrowd triage team and technical verification by NASA’s security engineers.
- October 22, 2025: NASA issued an official Letter of Appreciation acknowledging the responsible reporting and confirming remediation.
Total time from submission to resolution: less than 7 days.
Potential Impact (High-Level Summary)
While no exploitation was performed, the exposure of plaintext FTP credentials in public documentation could have led to:
- Unauthorized access to data repositories under the
avng.jpl.nasa.govdomain. - Potential reuse of credentials across related systems.
- Unintended disclosure of mission data, coordinates, or internal project structures.
- Security policy non-compliance related to credential handling and publication controls.
Remediation and Actions Taken
Following the report, the NASA/JPL team:
- Removed or restricted public access to the exposed document.
- Revoked and rotated any credentials referenced in the document.
- Conducted internal audits to detect unauthorized access attempts.
- Updated internal publication procedures to prevent inclusion of credentials in future data releases.
Final Status and Recognition
- Status: Resolved — the issue has been verified, mitigated, and closed by NASA.
- Recognition: An official Letter of Appreciation was issued by the NASA Vulnerability Disclosure Program (VDP), acknowledging the researcher’s contribution to the protection of NASA systems.
Ethical Statement
This finding was obtained exclusively through passive, open-source methods.
No authentication attempts, exploitation, or data access were performed at any stage.
All credentials and sensitive information were redacted before sharing with Bugcrowd or NASA.
Purpose of Disclosure
The goal of this disclosure is to highlight the effectiveness of responsible reporting and collaboration between researchers and government agencies.
It demonstrates that responsible, ethical OSINT can identify real risks and help secure critical infrastructure — in this case, with a complete validation and resolution cycle of under one week.
Researcher: sanrock
Program: NASA — Vulnerability Disclosure Program (via Bugcrowd)
Status: Resolved