@liw What's tricky though is if you say "in the next 6 months my university is going to try to get malicious patches in", then the test is worthless.
I am not saying what was done was correct, I just don't see how one can both do a real test and get people consent. The only alternative I can think of is privately getting the agreement of subsystem maintainers, but then you still experiment with the other developers without their consent.
@agateau That would be a perfectly reasonable objection if pen testing worked that way, but in general it does not.
Chief leadership is aware of the testing. The grunts are not.
A chief reason the leadership is made aware is so that the testers don't get shot / arrested. Though that doesn't always succeed.
But yeah: pre-disclosure is not a universal binary status. It can be to a subset of the group.
See also: red-team/blue-team.
Lars and friends