Isaiah sat down at a small table with an old laptop whirring. He watched the younger kids of his Scout troop run around, burning off their energy while the older scouts were standing around a holographic map of the Pine Barrens as they planned out a hike for the upcoming weekend.

There was a small paper sign taped to the front of the table that read ‘Tech Hub’. It was just the only spot in this cavernous community hall that was close to a power outlet. His attention was focused on a technical manual on Transport Layer Security protocols that he was in the middle of.

“Hey there, little eaglet. Still reading?” asked Mr. Henderson as he approached.

The Scoutmaster was a tall, thin man with graying hair and wire-rimmed glasses. He had a kind face that made Isaiah feel at ease.

“I’m just trying to finish up the Cybersecurity merit badge sir,” he answered quietly. “I just need to complete one more exercise before I can submit everything for approval.”

“Right, which one is that again?” Mr. Henderson asked, pulling up a chair next to Isaiah.

“Requirement 9. It says I need to ‘Identify a potential cybersecurity vulnerability in a public-facing system and document the finding according to responsible disclosure practices,’” Isaiah recalled the requirement from the handbook.

Mr. Henderson straightened and his smile weakened. “That is a tricky one. Keep in mind that you need to be very careful about that. Don’t poke around where you shouldn’t. Keep in mind you need to be ‘responsible’. The BSA has a list of pre-approved sandboxes you can use.”

“I know sir, but they just seem too simple. I want to actually learn something. The book does acknowledge that live systems are better for learning, as long as you disclose everything properly.”

“True, but don’t forget this isn’t just looking at a weekend craft project. These are real systems that people rely on.”

“I’m just trying to look at the front door,” Isaiah said reassuringly. “I’m not going to try to pick the lock or anything.”

Mr. Henderson didn’t say anything for a moment. He just looked at the earnestness in Isaiah’s eyes. It wasn’t the first time the boy had pushed the boundaries. The last time they went camping, he had volunteered to reverse engineer their malfunctioning solar water purifier rather than spending the afternoon learning to tie more knots.

“Okay, just keep in mind what I said about being responsible,” he finally relented.

From the window of his family’s small apartment, Isaiah could see the Philadelphia skyline lit up on the other side of the Delaware River. Holographic billboards situated on the bridge flickered to show off the latest gadgets from Redside Shiner Corp, the city’s largest tech company. He could spent hours just watching the autonomous cars and PATCO trains zip back and forth over the brightly lit bridge.

But he didn’t live in the big city. Camden was a city, technically, yet it lacked the prestige of its neighbor across the river. It was grittier, poorer, and often ignored by the tech boom and state politicians. His mother had to work two jobs just to make ends meet, and to make sure Isaiah had a better life than she ever did. He had to make something of himself, for her.

His computer desk sat on the opposite wall from his bed, just ten feet away. The desk had been one of his first scouting projects, something that earned him a merit badge in woodworking. It was simple, but sturdy enough to hold his aging laptop and a few tech manuals he picked up from the local library.

Isaiah put his earbuds in his ear and the world of the city outside were replaced with the beating pulse of vaporwave music. He opened up a terminal window and opened up the merit badge requirements in another window. He had to find a target.

He closed his eyes for a moment, thinking. What public-facing systems might have a vulnerability? Small businesses were often careless, but they would probably all be uninteresting. He wanted to find something more challenging.

Then he opened a new browser tab and searched for “philadelphia police department”.

It was a good first target. The digital infrastructure was publicly funded, so presumably should be secure. It was also personally interesting to him. He remembered the police drone that had passed over his neighborhood a few weeks ago and misidentified his neighbor as a suspect. The drone had followed him for the next week, causing a lot of stress for everyone in the building. He had to make sure they were doing their job right.

In his terminal, he thought that the first step would be a simple network scan to see what might even be accessible to the public.

$ nmap -sV -p 80,443 phillypd.gov

In the text document, he started documenting his observations below the requirement description.

First, use Nmap to perform a basic scan on the standard web ports. 80 is for HTTP and 443 is for HTTPS. Basically we’re just looking at the front door and the side entrance. Both are guarded by a company called Apache.

An Apache web server running on a city-managed server was typical. Maybe his report wouldn’t result in anything at all, but at least he would show that he had done his homework.

The next step was to check the directory structure. He had a script which cycled through a long list of common folder names. In theory, they should all be blocked off to the public, but sometimes mistakes were made.

$ ./dirbust.sh http://phillypd.gov/

After a few minutes, the script finished and a notification popped up in a corner of the screen letting him know to return to the window and check the results that appeared in an ASCII table.

There was just a single result that glowed back at him:

>>> [200] /cms_v_8_1_2_backup/

Isaiah’s heart skipped a beat. A backup folder for the CMS software? That could be interesting. Something like that should never be visible to the public Internet. Someone must have made a mistake.

He copied the path and pasted it into the browser running within a sandboxed virtual machine, which would isolate any potential damage to the rest of his system. The page loaded instantly, displaying a handful of XML configuration files in a simple directory listing. Beyond the XML files, he saw a text file for logs and a barebones `README.txt`. Nothing seemed especially sensitive, like passwords or user data.

He was about to close the tab as a dead end and document it when he checked the folder name once again. The content management system was produced by Redside Shiner, whose software was used by dozens of cities across the East Coast for their public and private websites. It handled patrol car routing, evidence logging, and even some internal communications.

He decided to double check the version number of the CMS software. Maybe there was something interesting there. He quickly discovered the changelog and compared the version number to the latest release on Redside Shiner’s website. Version 8.1.2 had been released six years ago. In the world of software, this was ancient.

He opened a new tab and searched for “Redside Shiner CMS 8.1.2 vulnerabilities”. There was a common exploit database, something crowdsourced by security researchers, which publicly disclosed known vulnerabilities in software packages. Redside Shiner would’ve issued patches against whatever he’d find, but that still required the city to update their software.

However, when he opened the database, he discovered no results. It seemed strange to him that such an old version of a widely used CMS would have no known vulnerabilities. He decided to check the National Vulnerability Database, which was maintained by the MITRE corporation. Maybe they had posted a CVE related to this version.

Yet again, he couldn’t find any results.

Code ages like milk, he thought to himself. Six-year old software definitely should have a CVE history by now. It seemed impossible that nothing had come up in all that time. He knew he had to be the one to check it out.

He created a new virtual machine and allocated enough resources to make sure it could run enough diagnostic tools. He allocated sixteen gigabytes of RAM and a terabyte of storage, just to be safe. He installed a fresh copy of Linux and configured its network settings through a VPN, just to make sure his real IP address wouldn’t be discovered if anything went wrong.

In this virtual machine, he installed that version of the CMS into his digital clean room. Over the next two days, he’d run home from school and immediately dive back into his project. He didn’t know how to code that well, but he tried to follow the various API calls and wrote an architectural diagram in his notebook as he pulled on each thread. He mumbled to himself as he worked.

Whenever he ran into something he didn’t understand, he’d look it up online. The auth system in particular confused him, so he spent an entire afternoon following an old forum post in order to learn about session management and authorization tokens.

One part of the auth code in particular was bothering him. The auth check was supposed to grant access by checking the user’s email and password against a database. Depending on the `role` column, they could be given administrator privileges.

However, there was something in the implementation that seemed off. When the database was first installed, it added a dummy user with the email admin@example.com and a default password of password123. The code was supposed to force the user to change their password on first login, but there was no actual check to enforce that.

Isaiah’s eyes widened. If he could log in as that default admin user, he could potentially access the entire CMS backend. That would be a serious vulnerability.

He quickly typed a short ten-line Python script that was meant to test the vulnerability. The script would just send an authorization request to the Philly PD CMS login endpoint with the default credentials.

He took a deep breath and executed the script.

$ python3 ./exploit.py

# Response: 200 OK - Logged in as admin

He immediately pushed back from his desk, wheeling across the room as his heart raced. He had just gotten root access to the PD’s CMS. What could the damage be? Probably a lot. He could delete files, steal data, or even shut down the entire system. But he had to stay calm. That was just in a backup folder. Could it be that easy on the real system?

He opened a new tab in his sandboxed browser and navigated to the main CMS login page. He entered the default admin credentials and hit enter.

Amazingly, he was logged in. A large dashboard appeared, showing various statistics about website traffic, user accounts, and even police reports that had been filed online.

No, ‘amazed’ was the wrong word. It was terrifying. A malicious actor could do all kinds of damage to this system, and he was now technically one of them. And maybe the Philly PD was just the tip of the iceberg. How many other cities and municipal systems were running this same outdated software with the same vulnerability? How many people could be affected?

Sitting next to his laptop, at the top of his pile of books, was the Boy Scout handbook. He looked at the bookmark hanging prominently from the top of the book, which marked the Scout Law. The first point read: “A Scout is Trustworthy.”

Now he had been handed a serious responsibility and he had to do the right thing. According to the guide for his Cybersecurity merit badge, that meant he had to follow responsible disclosure practices.

The first step, according to the handbook, was to identify the right contact. That would be Redside Shiner. He opened their corporate website and scrolled through the bright, shining homepage full of smiling employees and marketing terms. At the very bottom of the page was a tiny list of links. One of them read “Security”.

When he pressed it, he was taken to a page designed far differently than the glossy frontpage. The colors were muted and the page was professional. It described their bug bounty program, including the types of vulnerabilities they were interested in and the promise of “safe harbor” for security researchers who followed the rules. Below that was a bit of information on the money they would pay out depending on the severity of the issue. The top sum, an impressive amount, was for remote code execution or admin access. It made his breath catch.

As he began drafting his report, he checked and double-checked it, passing it through several online AI grammar checkers. He didn’t want it to sound like a kid from Camden wrote it. He wanted to sound like a real professional.

Vulnerability Report: Redside Shiner CMS 8.1.2 - Authentication Bypass via Default Credentials

Submitted by: I. Williams (Independent Researcher)

1. Executive Summary:

A critical authentication bypass vulnerability exists in Redside Shiner’s CMS version 8.1.2. The flaw allows an unauthenticated remote attacker to gain administrative access by utilizing hardcoded default credentials present in the system upon initial installation. This vulnerability could lead to full system compromise, data breaches, and unauthorized modifications to municipal websites and services.

2. Technical Description:

The vulnerability arises from the presence of default administrative credentials. When a rogue actor accesses the CMS login endpoint with the default username and password, and if the IT administrator has not changed these credentials post-deployment, the system grants full administrative privileges without any further verification.

…

He made sure to include everything he discovered including his makeshift script and the potential impact to the police department and other hypothetical clients that might be using the same software.

His heart was pounding in his chest as he hit send on the email containing his report to the security email address listed on the Redside Shiner site. He hoped he had done the right thing.

For the next two days, he was on edge. It didn’t help that it was the weekend. Professionals were not going to be checking on things until Monday at the earliest. Still, every time he heard a notification ping on his laptop, he immediately jumped up and rushed over to check it.

His anticipation extended beyond just an email reply. What if Redside Shiner decided they’d take legal action against him? What if his description of accessing the police department led to police drones descending on the building? He worried that Mr. Henderson would admonish him for going beyond the approved sandboxes.

As soon as school ended, he ran home and opened his laptop. There, in his inbox, was an email from “security@redside.com”:

Dear Mr. Williams,

Thank you for your submission and for your adherence to responsible disclosure protocols.

We have reviewed your report regarding the authentication bypass vulnerability in Redside Shiner CMS version 8.1.2. We can confirm the existence of this vulnerability and appreciate your efforts in bringing it to our attention. We are currently working on a patch to address this issue and will be notifying all affected clients to ensure they update their systems promptly.

Thank you again for your report. We will be crediting you in our official advisory once the patch is released. Our team will follow up in the next few days with regards to the bounty program.

Sincerely,

Cody Fisher

Lead Security Engineer

The tension drained out of Isaiah so quickly he grew dizzy and fell back in his bed. A slow smile spread across his face. H had actually done something good.

Isaiah took a look at the old community hall as he walked up the steps. In his crisp scouting uniform, looking out at the crowd of fellow scouts and their families, he took a deep breath and stood at attention.

Mr. Henderson stood before him at the podium with a small box in his hand that contained the cherished Cybersecurity merit badge.

“The Scout Law begins with a single word, but one that is very powerful. To be ‘trustworthy’ means more than just keeping a promise or helping a friend. In today’s world, it means you are often asked to navigate new worlds and spaces. You will find strangers who don’t know of or your intentions. It is in those times that you need to demonstrate your trustworthiness. Isaiah here has recently demonstrated what that means. When he found a danger that could hurt many people, he did not take advantage of it. He reported it. He helped fix it.”

He opened the box and carefully pinned the Cybersecurity merit badge onto Isaiah’s sash. “You’ve more than earned this,” he whispered, his voice thick with pride.

While Isaiah felt proud of his accomplishment in that moment, it wasn’t until the next morning that he really understood his impact. When he brought the mail back inside from the apartment’s mailbox, he saw one of the letters addressed to him. It was from Redside Shiner.

He opened it carefully, expecting just to receive a personal thanks or some nice certificate. Instead, he found a check in his name with the value of $20,000. It was his bounty, a sum far more than he could ever have imagined.

“Mom?” he called out as he dropped the rest in a small pile on the kitchen table.

She came in, still brushing her hair and looked down at him. When she saw the check, she looked confused for a moment and then her eyes grew wide.

“Isaiah… what is this?” she asked, her voice trembling.

“It’s my bounty,” he whispered. “For my report.”

His mom grabbed him and pulled him into a tight hug. Even though he couldn’t see her face, he could hear her sniffle and felt her body shake with emotion. He couldn’t help but feel a bit emotional himself. He could finally feel like he was helping provide for them both.

That evening, he sat on the roof of his building and stared out at the shining lights of Philadelphia. The city was beautiful, but now he thought of it as more than just a backdrop. It was a complex system of networks that people depended on everyday. Real, working people like his mom and now himself.

It was a system that was imperfect, full of stale processes and human error. It needed people to keep it safe. His passion was not just a hobby or a game. It was his purpose. He stood up and headed back inside, ready to turn on his laptop again and continue learning.

When I was in Boy Scouts, we didn’t have a Cybersecurity Merit Badge. The next generation has a new opportunity to learn new things. I hope we can use opportunities like this for everyone to gain a better understanding of how to protect our digital realms.