> i think you may exploit this vuln and get several SSN, and then email > to the institute to show the severity of your report. > In the US, doing that could get you into a ton of criminal and civil trouble (I'm sad to say). What steps did the original poster take to notify the institution, exactly?