How to report a security hole

Xiangyang Liu

Suppose you are taking over the development of one of your company's commercial websites. You found a big security hole in the existing version which is in production already and you fixed it in the code. How do you or should you tell the upper management about this? Assume the following: 1. The people responsible will be very angry at you. 2. One of them is your good friend. 3. Nobody has exploited the security hole yet. 4. Based on past experience, you won't be rewarded or recognized for reporting this. Thanks.

My .NET Business Application Framework My Home Page

amclint

Shouldn't matter...we've all had our share of programming mishaps, if he put the security hole there intentionally to use it later for devious means he should probably be mad but otherwise big deal. You found it and fixed it, less work for you than if someone had hacked in and created a nasty situation with many privacy notices going out.

amclint There's no place like 127.0.0.1

MoustafaS

A company that respects it's employees, will have employees that will respect it,though reporting will be your only option [In case you like this company :)] and about your friend, you may report this hole to the responsible team so, they will feel good at you, fix it, and have their way to tell the upper management.

------------------------------
"About my religion : Islam ..."

Colin Angus Mackay

Xiangyang Liu wrote:

How do you or should you tell the upper management about this?

Office politics - I've never figured it out.

Upcoming events: * Glasgow: Geek Dinner (5th March) * Edinburgh: Web Security Conference Day for Windows Developers (12th April) My: Website | Blog | Photos

DaTxomin

First, make triple-sure you are right about this. If the situation is ugly at your company, they will pound you to bits if you are wrong. Then take a look at your standards and the answer will be clear for you as to what to do. You should also consider moving to another company. If things are like this, you will eventually leave anyway. BTW: if one of those is a "good friend", bring it up with him/her first. Test that friendship carefully though.

Bradml

If the company treats it's developers so poorly then maybe there is another way to bring the exploit to their attention....

Brad Australian - Captain See Sharp on "Religion" any half intelligent person can come to the conclusion that pink unicorns do not exist.

Member 96

Just tell the person who you should normally tell this kind of stuff to. You work for the company and just as you expect a paycheque they expect you to do your job. (and make sure you're right of course as others mentioned). There is no gray room in this issue.