Mixing
How long to wait before escalating security issue?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
8
down vote
favorite
Last night I was familiarizing myself with the codebase of an application that I will begin supporting. In doing so, I found a vulnerability that needs to be resolved. This application is core to the business, and if it is exploited, sensitive information will become available. In addition, this application has only gone live in the last few months, so I was really surprised at the use of code that has been considered obsolete and vulnerable for years.
After this discovery, I sent an email to the developer of the application explaining that this is an issue and why. I attached several links and a few academic papers to support what I was saying. His response was basically 'Yes, this could be better'.
I am good friends with this developer, and don't want him to feel that I am trying to dictate how his application should or should not be written, but this is a big issue. In the email, I started by saying that I wanted to bring this up with him before I talked to the Director of Security about this.
How long should I give him to get this fix on the docket before escalating to the Director of Security?
relationships security
asked Aug 5 '16 at 16:21
JRLambert
1433
suggest improvements |Â
up vote
8
down vote
favorite
Last night I was familiarizing myself with the codebase of an application that I will begin supporting. In doing so, I found a vulnerability that needs to be resolved. This application is core to the business, and if it is exploited, sensitive information will become available. In addition, this application has only gone live in the last few months, so I was really surprised at the use of code that has been considered obsolete and vulnerable for years.
After this discovery, I sent an email to the developer of the application explaining that this is an issue and why. I attached several links and a few academic papers to support what I was saying. His response was basically 'Yes, this could be better'.
I am good friends with this developer, and don't want him to feel that I am trying to dictate how his application should or should not be written, but this is a big issue. In the email, I started by saying that I wanted to bring this up with him before I talked to the Director of Security about this.
How long should I give him to get this fix on the docket before escalating to the Director of Security?
relationships security
asked Aug 5 '16 at 16:21
JRLambert
1433
4
You might consider going to the dev's team lead or manager before getting security involved.
– Telastyn
Aug 5 '16 at 16:31
4
I would escalate it quickly. I would shy away from showing academic papers but rather a full blown example of it in action against the code base as a demonstration. Show what you did, how you did it, and how it is a exploit point. If it could "theoretically" be a vulnerability then it will require a bit more explanation on your part but prepare to meet critics. At least you brought your point up then.
– Dan
Aug 5 '16 at 16:37
3
I'd suggest checking out the Disclosure tag over on security.stackexchange.com/questions/tagged/…
– Rory Alsop
Aug 5 '16 at 16:43
@RoryAlsop: That is about public disclosure. If a company employee publicly discloses a security problem of his company then that company employee will be an ex-employee.
– gnasher729
Aug 7 '16 at 21:07
gnasher729 - no, it covers both internal and external. Have a read of the questions. Loads in there on making sure timing is fair and ethical, when and how to escalate, and when to finally go public - which in some cases is absolutely the right thing to do c.f. Whistleblowing
– Rory Alsop
Aug 7 '16 at 22:32
suggest improvements |Â
up vote
8
down vote
favorite
up vote
8
down vote
favorite
Last night I was familiarizing myself with the codebase of an application that I will begin supporting. In doing so, I found a vulnerability that needs to be resolved. This application is core to the business, and if it is exploited, sensitive information will become available. In addition, this application has only gone live in the last few months, so I was really surprised at the use of code that has been considered obsolete and vulnerable for years.
After this discovery, I sent an email to the developer of the application explaining that this is an issue and why. I attached several links and a few academic papers to support what I was saying. His response was basically 'Yes, this could be better'.
I am good friends with this developer, and don't want him to feel that I am trying to dictate how his application should or should not be written, but this is a big issue. In the email, I started by saying that I wanted to bring this up with him before I talked to the Director of Security about this.
How long should I give him to get this fix on the docket before escalating to the Director of Security?
relationships security
asked Aug 5 '16 at 16:21
JRLambert
1433
Last night I was familiarizing myself with the codebase of an application that I will begin supporting. In doing so, I found a vulnerability that needs to be resolved. This application is core to the business, and if it is exploited, sensitive information will become available. In addition, this application has only gone live in the last few months, so I was really surprised at the use of code that has been considered obsolete and vulnerable for years.
After this discovery, I sent an email to the developer of the application explaining that this is an issue and why. I attached several links and a few academic papers to support what I was saying. His response was basically 'Yes, this could be better'.
I am good friends with this developer, and don't want him to feel that I am trying to dictate how his application should or should not be written, but this is a big issue. In the email, I started by saying that I wanted to bring this up with him before I talked to the Director of Security about this.
How long should I give him to get this fix on the docket before escalating to the Director of Security?
relationships security
asked Aug 5 '16 at 16:21
JRLambert
1433
asked Aug 5 '16 at 16:21
JRLambert
1433
asked Aug 5 '16 at 16:21
JRLambert
1433
asked Aug 5 '16 at 16:21
JRLambert
1433
1433
4
You might consider going to the dev's team lead or manager before getting security involved.
– Telastyn
Aug 5 '16 at 16:31
4
I would escalate it quickly. I would shy away from showing academic papers but rather a full blown example of it in action against the code base as a demonstration. Show what you did, how you did it, and how it is a exploit point. If it could "theoretically" be a vulnerability then it will require a bit more explanation on your part but prepare to meet critics. At least you brought your point up then.
– Dan
Aug 5 '16 at 16:37
3
I'd suggest checking out the Disclosure tag over on security.stackexchange.com/questions/tagged/…
– Rory Alsop
Aug 5 '16 at 16:43
@RoryAlsop: That is about public disclosure. If a company employee publicly discloses a security problem of his company then that company employee will be an ex-employee.
– gnasher729
Aug 7 '16 at 21:07
gnasher729 - no, it covers both internal and external. Have a read of the questions. Loads in there on making sure timing is fair and ethical, when and how to escalate, and when to finally go public - which in some cases is absolutely the right thing to do c.f. Whistleblowing
– Rory Alsop
Aug 7 '16 at 22:32
suggest improvements |Â
4
You might consider going to the dev's team lead or manager before getting security involved.
– Telastyn
Aug 5 '16 at 16:31
4
I would escalate it quickly. I would shy away from showing academic papers but rather a full blown example of it in action against the code base as a demonstration. Show what you did, how you did it, and how it is a exploit point. If it could "theoretically" be a vulnerability then it will require a bit more explanation on your part but prepare to meet critics. At least you brought your point up then.
– Dan
Aug 5 '16 at 16:37
3
I'd suggest checking out the Disclosure tag over on security.stackexchange.com/questions/tagged/…
– Rory Alsop
Aug 5 '16 at 16:43
@RoryAlsop: That is about public disclosure. If a company employee publicly discloses a security problem of his company then that company employee will be an ex-employee.
– gnasher729
Aug 7 '16 at 21:07
gnasher729 - no, it covers both internal and external. Have a read of the questions. Loads in there on making sure timing is fair and ethical, when and how to escalate, and when to finally go public - which in some cases is absolutely the right thing to do c.f. Whistleblowing
– Rory Alsop
Aug 7 '16 at 22:32
4
4
You might consider going to the dev's team lead or manager before getting security involved.
– Telastyn
Aug 5 '16 at 16:31
You might consider going to the dev's team lead or manager before getting security involved.
– Telastyn
Aug 5 '16 at 16:31
4
4
I would escalate it quickly. I would shy away from showing academic papers but rather a full blown example of it in action against the code base as a demonstration. Show what you did, how you did it, and how it is a exploit point. If it could "theoretically" be a vulnerability then it will require a bit more explanation on your part but prepare to meet critics. At least you brought your point up then.
– Dan
Aug 5 '16 at 16:37
I would escalate it quickly. I would shy away from showing academic papers but rather a full blown example of it in action against the code base as a demonstration. Show what you did, how you did it, and how it is a exploit point. If it could "theoretically" be a vulnerability then it will require a bit more explanation on your part but prepare to meet critics. At least you brought your point up then.
– Dan
Aug 5 '16 at 16:37
3
3
I'd suggest checking out the Disclosure tag over on security.stackexchange.com/questions/tagged/…
– Rory Alsop
Aug 5 '16 at 16:43
I'd suggest checking out the Disclosure tag over on security.stackexchange.com/questions/tagged/…
– Rory Alsop
Aug 5 '16 at 16:43
@RoryAlsop: That is about public disclosure. If a company employee publicly discloses a security problem of his company then that company employee will be an ex-employee.
– gnasher729
Aug 7 '16 at 21:07
@RoryAlsop: That is about public disclosure. If a company employee publicly discloses a security problem of his company then that company employee will be an ex-employee.
– gnasher729
Aug 7 '16 at 21:07
gnasher729 - no, it covers both internal and external. Have a read of the questions. Loads in there on making sure timing is fair and ethical, when and how to escalate, and when to finally go public - which in some cases is absolutely the right thing to do c.f. Whistleblowing
– Rory Alsop
Aug 7 '16 at 22:32
gnasher729 - no, it covers both internal and external. Have a read of the questions. Loads in there on making sure timing is fair and ethical, when and how to escalate, and when to finally go public - which in some cases is absolutely the right thing to do c.f. Whistleblowing
– Rory Alsop
Aug 7 '16 at 22:32
suggest improvements |Â
3 Answers
3
active
oldest
votes
up vote
16
down vote
accepted
Speaking as a security analyst...
It's not a question of how long you should wait, but rather "What will you do when a hacker finds the exploit, and someone in your company realizes you already knew about it but did nothing"
I'd say that you have a duty of care to escalate this issue as soon as possible. You might not need to go all the way to the Director of Security, but the Security Team in general need to be made aware. The mitigation request will then come from them down to the developer, and it will get attention.
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
Currently or Director of Security is our security team, so it has to be him. I can see your point so I will bring this up today.
– JRLambert
Aug 5 '16 at 16:28
4
Further to this; there's no shame in a developer having inadvertently left a security hole in some code; he won't be disciplined for it. Best to find out now, rather than afterwards. However, if he doesn't learn, and carries on putting the same holes in his code, something will be said.
– PeteCon
Aug 5 '16 at 18:43
1
I took this to my manager after it was not brought up in scrum.
– JRLambert
Aug 5 '16 at 18:52
2
If you use scrum, you put it on the backlog, and bring it up in the scrum.
– gnasher729
Aug 7 '16 at 21:05
@JRLammbert I agree, escalate to the right person using writing means and don't do anything about it unless told. I already saw far worst than this and no one would care, so nothing was done, but that wasn't my responsibility anymore.
– Walfrat
Aug 8 '16 at 9:11
suggest improvements |Â
up vote
4
down vote
You could certainly bring it up with whoever is responsible and keep escalating until it gets fixed.
Personally instead of telling the developer about the problem and leaving it to him and others to sort. I find an issue, I work out how to solve it, I give them a solution at the same time I report it. I'm in the business of solving problems not creating them. EVERYONE appreciates it when it's done this way.
So I never outline a problem without at least a tentative plan of resolution.
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
Excuse me, but if you are not the developer of the application then it is not your business to work out fixes. I would most definitely not appreciate if you try to find fixes for problems that you probably don't understand in a codebase that you don't understand.
– gnasher729
Aug 7 '16 at 19:11
@gnasher729 in theory it's not your job to be reporting errors especially if you can't understand them. This is in the case where you do thoroughly understand what you're doing. Unless your role is looking for errors. But I do understand some few developers have over-inflated egos and wouldn't appreciate the help.
– Kilisi
Aug 7 '16 at 19:18
1
The guy has just started getting into a codebase. He's a beginner.
– gnasher729
Aug 7 '16 at 19:37
@gnasher729 Yep, I gathered that
– Kilisi
Aug 7 '16 at 19:42
"creating them" that's what bad managers will said about this since the problem already exists.
– Walfrat
Aug 8 '16 at 9:09
suggest improvements |Â
up vote
-4
down vote
Good luck for your future career.
So you you are the world's greatest security expert. You are also an expert on software development. You are surprised that there is old code in an application that went life a few months ago? Applications are not re-written from scratch all the time. That application will be based on an older application that is based on an even older application etc.
You contacted the software developer. What do you think the developer is going to do? Nothing. He isn't going to do anything unless it comes from his manager. You "don't want him to feel that I am trying to dictate how his application should or should not be written". That's very nice from you. Please tell him this. He will say "thank you very much, and if you ever try I will react appropriately to make sure you won't try again". His answer to your information was telling: "Yes, this could be done better". There are thousands of things that could be done better, and if we had unlimited time and budget we would do them better, but we don't.
It seems you found something that you know about in theory. In practice, you don't know if it is exploitable. You don't know if the "sensitive information" would be harmful (for example, if the "sensitive information" is a trade secret then no competitor will dare touching it). You don't know about priorities - there might be no budget to do certain things, so the problem was ignored.
Worst case, you report this in writing to the head of security, who cannot ignore this anymore, which means development effort is spent on a security fix that nobody thinks is necessary, which means things that the business needs don't happen. And when the CEO asks why things he wanted done didn't happen, the answer is "because JRLambert reported a security issue".
Here's what you should do: Go to the manager responsible for development of the product, tell him, and check what he says. Since you will be starting to support that application, if it is deemed important, it will be your job to fix it.
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
Would be interested to know what it is about this answer that two people disagreed with enough to downvote it?
– Carson63000
Aug 8 '16 at 0:14
4
@Carson63000 Likely down voted because it comes across as snarky. Whilst the content is there; the tone detracts from what's trying to be communicated. "So you're the world's greatest security expert" is not an ideal way to start an answer. see workplace.stackexchange.com/help/be-nice
– Rawrskyes
Aug 8 '16 at 2:26
4
@Carson63000 the snark definitely doesn't help; more broadly though I strongly disagree with the whole "yeah we know it has security bugs but don't care enough to spend anything on them" attitude in this answer vs the accepted answer.
– Dan Neely
Aug 8 '16 at 3:39
suggest improvements |Â
StackExchange.ready(function ()
$("#show-editor-button input, #show-editor-button button").click(function ()
var showEditor = function()
$("#show-editor-button").hide();
$("#post-form").removeClass("dno");
StackExchange.editor.finallyInit();
;
var useFancy = $(this).data('confirm-use-fancy');
if(useFancy == 'True')
var popupTitle = $(this).data('confirm-fancy-title');
var popupBody = $(this).data('confirm-fancy-body');
var popupAccept = $(this).data('confirm-fancy-accept-button');
$(this).loadPopup(
url: '/post/self-answer-popup',
loaded: function(popup)
var pTitle = $(popup).find('h2');
var pBody = $(popup).find('.popup-body');
var pSubmit = $(popup).find('.popup-submit');
pTitle.text(popupTitle);
pBody.html(popupBody);
pSubmit.val(popupAccept).click(showEditor);
)
else
var confirmText = $(this).data('confirm-text');
if (confirmText ? confirm(confirmText) : true)
showEditor();
);
);
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
16
down vote
accepted
Speaking as a security analyst...
It's not a question of how long you should wait, but rather "What will you do when a hacker finds the exploit, and someone in your company realizes you already knew about it but did nothing"
I'd say that you have a duty of care to escalate this issue as soon as possible. You might not need to go all the way to the Director of Security, but the Security Team in general need to be made aware. The mitigation request will then come from them down to the developer, and it will get attention.
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
Currently or Director of Security is our security team, so it has to be him. I can see your point so I will bring this up today.
– JRLambert
Aug 5 '16 at 16:28
4
Further to this; there's no shame in a developer having inadvertently left a security hole in some code; he won't be disciplined for it. Best to find out now, rather than afterwards. However, if he doesn't learn, and carries on putting the same holes in his code, something will be said.
– PeteCon
Aug 5 '16 at 18:43
1
I took this to my manager after it was not brought up in scrum.
– JRLambert
Aug 5 '16 at 18:52
2
If you use scrum, you put it on the backlog, and bring it up in the scrum.
– gnasher729
Aug 7 '16 at 21:05
@JRLammbert I agree, escalate to the right person using writing means and don't do anything about it unless told. I already saw far worst than this and no one would care, so nothing was done, but that wasn't my responsibility anymore.
– Walfrat
Aug 8 '16 at 9:11
suggest improvements |Â
up vote
16
down vote
accepted
Speaking as a security analyst...
It's not a question of how long you should wait, but rather "What will you do when a hacker finds the exploit, and someone in your company realizes you already knew about it but did nothing"
I'd say that you have a duty of care to escalate this issue as soon as possible. You might not need to go all the way to the Director of Security, but the Security Team in general need to be made aware. The mitigation request will then come from them down to the developer, and it will get attention.
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
Currently or Director of Security is our security team, so it has to be him. I can see your point so I will bring this up today.
– JRLambert
Aug 5 '16 at 16:28
4
Further to this; there's no shame in a developer having inadvertently left a security hole in some code; he won't be disciplined for it. Best to find out now, rather than afterwards. However, if he doesn't learn, and carries on putting the same holes in his code, something will be said.
– PeteCon
Aug 5 '16 at 18:43
1
I took this to my manager after it was not brought up in scrum.
– JRLambert
Aug 5 '16 at 18:52
2
If you use scrum, you put it on the backlog, and bring it up in the scrum.
– gnasher729
Aug 7 '16 at 21:05
@JRLammbert I agree, escalate to the right person using writing means and don't do anything about it unless told. I already saw far worst than this and no one would care, so nothing was done, but that wasn't my responsibility anymore.
– Walfrat
Aug 8 '16 at 9:11
suggest improvements |Â
up vote
16
down vote
accepted
up vote
16
down vote
accepted
Speaking as a security analyst...
It's not a question of how long you should wait, but rather "What will you do when a hacker finds the exploit, and someone in your company realizes you already knew about it but did nothing"
I'd say that you have a duty of care to escalate this issue as soon as possible. You might not need to go all the way to the Director of Security, but the Security Team in general need to be made aware. The mitigation request will then come from them down to the developer, and it will get attention.
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
Speaking as a security analyst...
It's not a question of how long you should wait, but rather "What will you do when a hacker finds the exploit, and someone in your company realizes you already knew about it but did nothing"
I'd say that you have a duty of care to escalate this issue as soon as possible. You might not need to go all the way to the Director of Security, but the Security Team in general need to be made aware. The mitigation request will then come from them down to the developer, and it will get attention.
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
answered Aug 5 '16 at 16:26
PeteCon
12.5k43552
12.5k43552
Currently or Director of Security is our security team, so it has to be him. I can see your point so I will bring this up today.
– JRLambert
Aug 5 '16 at 16:28
4
Further to this; there's no shame in a developer having inadvertently left a security hole in some code; he won't be disciplined for it. Best to find out now, rather than afterwards. However, if he doesn't learn, and carries on putting the same holes in his code, something will be said.
– PeteCon
Aug 5 '16 at 18:43
1
I took this to my manager after it was not brought up in scrum.
– JRLambert
Aug 5 '16 at 18:52
2
If you use scrum, you put it on the backlog, and bring it up in the scrum.
– gnasher729
Aug 7 '16 at 21:05
@JRLammbert I agree, escalate to the right person using writing means and don't do anything about it unless told. I already saw far worst than this and no one would care, so nothing was done, but that wasn't my responsibility anymore.
– Walfrat
Aug 8 '16 at 9:11
suggest improvements |Â
Currently or Director of Security is our security team, so it has to be him. I can see your point so I will bring this up today.
– JRLambert
Aug 5 '16 at 16:28
4
Further to this; there's no shame in a developer having inadvertently left a security hole in some code; he won't be disciplined for it. Best to find out now, rather than afterwards. However, if he doesn't learn, and carries on putting the same holes in his code, something will be said.
– PeteCon
Aug 5 '16 at 18:43
1
I took this to my manager after it was not brought up in scrum.
– JRLambert
Aug 5 '16 at 18:52
2
If you use scrum, you put it on the backlog, and bring it up in the scrum.
– gnasher729
Aug 7 '16 at 21:05
@JRLammbert I agree, escalate to the right person using writing means and don't do anything about it unless told. I already saw far worst than this and no one would care, so nothing was done, but that wasn't my responsibility anymore.
– Walfrat
Aug 8 '16 at 9:11
Currently or Director of Security is our security team, so it has to be him. I can see your point so I will bring this up today.
– JRLambert
Aug 5 '16 at 16:28
Currently or Director of Security is our security team, so it has to be him. I can see your point so I will bring this up today.
– JRLambert
Aug 5 '16 at 16:28
4
4
Further to this; there's no shame in a developer having inadvertently left a security hole in some code; he won't be disciplined for it. Best to find out now, rather than afterwards. However, if he doesn't learn, and carries on putting the same holes in his code, something will be said.
– PeteCon
Aug 5 '16 at 18:43
Further to this; there's no shame in a developer having inadvertently left a security hole in some code; he won't be disciplined for it. Best to find out now, rather than afterwards. However, if he doesn't learn, and carries on putting the same holes in his code, something will be said.
– PeteCon
Aug 5 '16 at 18:43
1
1
I took this to my manager after it was not brought up in scrum.
– JRLambert
Aug 5 '16 at 18:52
I took this to my manager after it was not brought up in scrum.
– JRLambert
Aug 5 '16 at 18:52
2
2
If you use scrum, you put it on the backlog, and bring it up in the scrum.
– gnasher729
Aug 7 '16 at 21:05
If you use scrum, you put it on the backlog, and bring it up in the scrum.
– gnasher729
Aug 7 '16 at 21:05
@JRLammbert I agree, escalate to the right person using writing means and don't do anything about it unless told. I already saw far worst than this and no one would care, so nothing was done, but that wasn't my responsibility anymore.
– Walfrat
Aug 8 '16 at 9:11
@JRLammbert I agree, escalate to the right person using writing means and don't do anything about it unless told. I already saw far worst than this and no one would care, so nothing was done, but that wasn't my responsibility anymore.
– Walfrat
Aug 8 '16 at 9:11
suggest improvements |Â
up vote
4
down vote
You could certainly bring it up with whoever is responsible and keep escalating until it gets fixed.
Personally instead of telling the developer about the problem and leaving it to him and others to sort. I find an issue, I work out how to solve it, I give them a solution at the same time I report it. I'm in the business of solving problems not creating them. EVERYONE appreciates it when it's done this way.
So I never outline a problem without at least a tentative plan of resolution.
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
Excuse me, but if you are not the developer of the application then it is not your business to work out fixes. I would most definitely not appreciate if you try to find fixes for problems that you probably don't understand in a codebase that you don't understand.
– gnasher729
Aug 7 '16 at 19:11
@gnasher729 in theory it's not your job to be reporting errors especially if you can't understand them. This is in the case where you do thoroughly understand what you're doing. Unless your role is looking for errors. But I do understand some few developers have over-inflated egos and wouldn't appreciate the help.
– Kilisi
Aug 7 '16 at 19:18
1
The guy has just started getting into a codebase. He's a beginner.
– gnasher729
Aug 7 '16 at 19:37
@gnasher729 Yep, I gathered that
– Kilisi
Aug 7 '16 at 19:42
"creating them" that's what bad managers will said about this since the problem already exists.
– Walfrat
Aug 8 '16 at 9:09
suggest improvements |Â
up vote
4
down vote
You could certainly bring it up with whoever is responsible and keep escalating until it gets fixed.
Personally instead of telling the developer about the problem and leaving it to him and others to sort. I find an issue, I work out how to solve it, I give them a solution at the same time I report it. I'm in the business of solving problems not creating them. EVERYONE appreciates it when it's done this way.
So I never outline a problem without at least a tentative plan of resolution.
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
Excuse me, but if you are not the developer of the application then it is not your business to work out fixes. I would most definitely not appreciate if you try to find fixes for problems that you probably don't understand in a codebase that you don't understand.
– gnasher729
Aug 7 '16 at 19:11
@gnasher729 in theory it's not your job to be reporting errors especially if you can't understand them. This is in the case where you do thoroughly understand what you're doing. Unless your role is looking for errors. But I do understand some few developers have over-inflated egos and wouldn't appreciate the help.
– Kilisi
Aug 7 '16 at 19:18
1
The guy has just started getting into a codebase. He's a beginner.
– gnasher729
Aug 7 '16 at 19:37
@gnasher729 Yep, I gathered that
– Kilisi
Aug 7 '16 at 19:42
"creating them" that's what bad managers will said about this since the problem already exists.
– Walfrat
Aug 8 '16 at 9:09
suggest improvements |Â
up vote
4
down vote
up vote
4
down vote
You could certainly bring it up with whoever is responsible and keep escalating until it gets fixed.
Personally instead of telling the developer about the problem and leaving it to him and others to sort. I find an issue, I work out how to solve it, I give them a solution at the same time I report it. I'm in the business of solving problems not creating them. EVERYONE appreciates it when it's done this way.
So I never outline a problem without at least a tentative plan of resolution.
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
You could certainly bring it up with whoever is responsible and keep escalating until it gets fixed.
Personally instead of telling the developer about the problem and leaving it to him and others to sort. I find an issue, I work out how to solve it, I give them a solution at the same time I report it. I'm in the business of solving problems not creating them. EVERYONE appreciates it when it's done this way.
So I never outline a problem without at least a tentative plan of resolution.
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
answered Aug 7 '16 at 11:09
Kilisi
94.3k50216374
94.3k50216374
Excuse me, but if you are not the developer of the application then it is not your business to work out fixes. I would most definitely not appreciate if you try to find fixes for problems that you probably don't understand in a codebase that you don't understand.
– gnasher729
Aug 7 '16 at 19:11
@gnasher729 in theory it's not your job to be reporting errors especially if you can't understand them. This is in the case where you do thoroughly understand what you're doing. Unless your role is looking for errors. But I do understand some few developers have over-inflated egos and wouldn't appreciate the help.
– Kilisi
Aug 7 '16 at 19:18
1
The guy has just started getting into a codebase. He's a beginner.
– gnasher729
Aug 7 '16 at 19:37
@gnasher729 Yep, I gathered that
– Kilisi
Aug 7 '16 at 19:42
"creating them" that's what bad managers will said about this since the problem already exists.
– Walfrat
Aug 8 '16 at 9:09
suggest improvements |Â
Excuse me, but if you are not the developer of the application then it is not your business to work out fixes. I would most definitely not appreciate if you try to find fixes for problems that you probably don't understand in a codebase that you don't understand.
– gnasher729
Aug 7 '16 at 19:11
@gnasher729 in theory it's not your job to be reporting errors especially if you can't understand them. This is in the case where you do thoroughly understand what you're doing. Unless your role is looking for errors. But I do understand some few developers have over-inflated egos and wouldn't appreciate the help.
– Kilisi
Aug 7 '16 at 19:18
1
The guy has just started getting into a codebase. He's a beginner.
– gnasher729
Aug 7 '16 at 19:37
@gnasher729 Yep, I gathered that
– Kilisi
Aug 7 '16 at 19:42
"creating them" that's what bad managers will said about this since the problem already exists.
– Walfrat
Aug 8 '16 at 9:09
Excuse me, but if you are not the developer of the application then it is not your business to work out fixes. I would most definitely not appreciate if you try to find fixes for problems that you probably don't understand in a codebase that you don't understand.
– gnasher729
Aug 7 '16 at 19:11
Excuse me, but if you are not the developer of the application then it is not your business to work out fixes. I would most definitely not appreciate if you try to find fixes for problems that you probably don't understand in a codebase that you don't understand.
– gnasher729
Aug 7 '16 at 19:11
@gnasher729 in theory it's not your job to be reporting errors especially if you can't understand them. This is in the case where you do thoroughly understand what you're doing. Unless your role is looking for errors. But I do understand some few developers have over-inflated egos and wouldn't appreciate the help.
– Kilisi
Aug 7 '16 at 19:18
@gnasher729 in theory it's not your job to be reporting errors especially if you can't understand them. This is in the case where you do thoroughly understand what you're doing. Unless your role is looking for errors. But I do understand some few developers have over-inflated egos and wouldn't appreciate the help.
– Kilisi
Aug 7 '16 at 19:18
1
1
The guy has just started getting into a codebase. He's a beginner.
– gnasher729
Aug 7 '16 at 19:37
The guy has just started getting into a codebase. He's a beginner.
– gnasher729
Aug 7 '16 at 19:37
@gnasher729 Yep, I gathered that
– Kilisi
Aug 7 '16 at 19:42
@gnasher729 Yep, I gathered that
– Kilisi
Aug 7 '16 at 19:42
"creating them" that's what bad managers will said about this since the problem already exists.
– Walfrat
Aug 8 '16 at 9:09
"creating them" that's what bad managers will said about this since the problem already exists.
– Walfrat
Aug 8 '16 at 9:09
suggest improvements |Â
up vote
-4
down vote
Good luck for your future career.
So you you are the world's greatest security expert. You are also an expert on software development. You are surprised that there is old code in an application that went life a few months ago? Applications are not re-written from scratch all the time. That application will be based on an older application that is based on an even older application etc.
You contacted the software developer. What do you think the developer is going to do? Nothing. He isn't going to do anything unless it comes from his manager. You "don't want him to feel that I am trying to dictate how his application should or should not be written". That's very nice from you. Please tell him this. He will say "thank you very much, and if you ever try I will react appropriately to make sure you won't try again". His answer to your information was telling: "Yes, this could be done better". There are thousands of things that could be done better, and if we had unlimited time and budget we would do them better, but we don't.
It seems you found something that you know about in theory. In practice, you don't know if it is exploitable. You don't know if the "sensitive information" would be harmful (for example, if the "sensitive information" is a trade secret then no competitor will dare touching it). You don't know about priorities - there might be no budget to do certain things, so the problem was ignored.
Worst case, you report this in writing to the head of security, who cannot ignore this anymore, which means development effort is spent on a security fix that nobody thinks is necessary, which means things that the business needs don't happen. And when the CEO asks why things he wanted done didn't happen, the answer is "because JRLambert reported a security issue".
Here's what you should do: Go to the manager responsible for development of the product, tell him, and check what he says. Since you will be starting to support that application, if it is deemed important, it will be your job to fix it.
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
Would be interested to know what it is about this answer that two people disagreed with enough to downvote it?
– Carson63000
Aug 8 '16 at 0:14
4
@Carson63000 Likely down voted because it comes across as snarky. Whilst the content is there; the tone detracts from what's trying to be communicated. "So you're the world's greatest security expert" is not an ideal way to start an answer. see workplace.stackexchange.com/help/be-nice
– Rawrskyes
Aug 8 '16 at 2:26
4
@Carson63000 the snark definitely doesn't help; more broadly though I strongly disagree with the whole "yeah we know it has security bugs but don't care enough to spend anything on them" attitude in this answer vs the accepted answer.
– Dan Neely
Aug 8 '16 at 3:39
suggest improvements |Â
up vote
-4
down vote
Good luck for your future career.
So you you are the world's greatest security expert. You are also an expert on software development. You are surprised that there is old code in an application that went life a few months ago? Applications are not re-written from scratch all the time. That application will be based on an older application that is based on an even older application etc.
You contacted the software developer. What do you think the developer is going to do? Nothing. He isn't going to do anything unless it comes from his manager. You "don't want him to feel that I am trying to dictate how his application should or should not be written". That's very nice from you. Please tell him this. He will say "thank you very much, and if you ever try I will react appropriately to make sure you won't try again". His answer to your information was telling: "Yes, this could be done better". There are thousands of things that could be done better, and if we had unlimited time and budget we would do them better, but we don't.
It seems you found something that you know about in theory. In practice, you don't know if it is exploitable. You don't know if the "sensitive information" would be harmful (for example, if the "sensitive information" is a trade secret then no competitor will dare touching it). You don't know about priorities - there might be no budget to do certain things, so the problem was ignored.
Worst case, you report this in writing to the head of security, who cannot ignore this anymore, which means development effort is spent on a security fix that nobody thinks is necessary, which means things that the business needs don't happen. And when the CEO asks why things he wanted done didn't happen, the answer is "because JRLambert reported a security issue".
Here's what you should do: Go to the manager responsible for development of the product, tell him, and check what he says. Since you will be starting to support that application, if it is deemed important, it will be your job to fix it.
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
Would be interested to know what it is about this answer that two people disagreed with enough to downvote it?
– Carson63000
Aug 8 '16 at 0:14
4
@Carson63000 Likely down voted because it comes across as snarky. Whilst the content is there; the tone detracts from what's trying to be communicated. "So you're the world's greatest security expert" is not an ideal way to start an answer. see workplace.stackexchange.com/help/be-nice
– Rawrskyes
Aug 8 '16 at 2:26
4
@Carson63000 the snark definitely doesn't help; more broadly though I strongly disagree with the whole "yeah we know it has security bugs but don't care enough to spend anything on them" attitude in this answer vs the accepted answer.
– Dan Neely
Aug 8 '16 at 3:39
suggest improvements |Â
up vote
-4
down vote
up vote
-4
down vote
Good luck for your future career.
So you you are the world's greatest security expert. You are also an expert on software development. You are surprised that there is old code in an application that went life a few months ago? Applications are not re-written from scratch all the time. That application will be based on an older application that is based on an even older application etc.
You contacted the software developer. What do you think the developer is going to do? Nothing. He isn't going to do anything unless it comes from his manager. You "don't want him to feel that I am trying to dictate how his application should or should not be written". That's very nice from you. Please tell him this. He will say "thank you very much, and if you ever try I will react appropriately to make sure you won't try again". His answer to your information was telling: "Yes, this could be done better". There are thousands of things that could be done better, and if we had unlimited time and budget we would do them better, but we don't.
It seems you found something that you know about in theory. In practice, you don't know if it is exploitable. You don't know if the "sensitive information" would be harmful (for example, if the "sensitive information" is a trade secret then no competitor will dare touching it). You don't know about priorities - there might be no budget to do certain things, so the problem was ignored.
Worst case, you report this in writing to the head of security, who cannot ignore this anymore, which means development effort is spent on a security fix that nobody thinks is necessary, which means things that the business needs don't happen. And when the CEO asks why things he wanted done didn't happen, the answer is "because JRLambert reported a security issue".
Here's what you should do: Go to the manager responsible for development of the product, tell him, and check what he says. Since you will be starting to support that application, if it is deemed important, it will be your job to fix it.
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
Good luck for your future career.
So you you are the world's greatest security expert. You are also an expert on software development. You are surprised that there is old code in an application that went life a few months ago? Applications are not re-written from scratch all the time. That application will be based on an older application that is based on an even older application etc.
You contacted the software developer. What do you think the developer is going to do? Nothing. He isn't going to do anything unless it comes from his manager. You "don't want him to feel that I am trying to dictate how his application should or should not be written". That's very nice from you. Please tell him this. He will say "thank you very much, and if you ever try I will react appropriately to make sure you won't try again". His answer to your information was telling: "Yes, this could be done better". There are thousands of things that could be done better, and if we had unlimited time and budget we would do them better, but we don't.
It seems you found something that you know about in theory. In practice, you don't know if it is exploitable. You don't know if the "sensitive information" would be harmful (for example, if the "sensitive information" is a trade secret then no competitor will dare touching it). You don't know about priorities - there might be no budget to do certain things, so the problem was ignored.
Worst case, you report this in writing to the head of security, who cannot ignore this anymore, which means development effort is spent on a security fix that nobody thinks is necessary, which means things that the business needs don't happen. And when the CEO asks why things he wanted done didn't happen, the answer is "because JRLambert reported a security issue".
Here's what you should do: Go to the manager responsible for development of the product, tell him, and check what he says. Since you will be starting to support that application, if it is deemed important, it will be your job to fix it.
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
answered Aug 7 '16 at 21:04
gnasher729
70.3k31131219
70.3k31131219
Would be interested to know what it is about this answer that two people disagreed with enough to downvote it?
– Carson63000
Aug 8 '16 at 0:14
4
@Carson63000 Likely down voted because it comes across as snarky. Whilst the content is there; the tone detracts from what's trying to be communicated. "So you're the world's greatest security expert" is not an ideal way to start an answer. see workplace.stackexchange.com/help/be-nice
– Rawrskyes
Aug 8 '16 at 2:26
4
@Carson63000 the snark definitely doesn't help; more broadly though I strongly disagree with the whole "yeah we know it has security bugs but don't care enough to spend anything on them" attitude in this answer vs the accepted answer.
– Dan Neely
Aug 8 '16 at 3:39
suggest improvements |Â
Would be interested to know what it is about this answer that two people disagreed with enough to downvote it?
– Carson63000
Aug 8 '16 at 0:14
4
@Carson63000 Likely down voted because it comes across as snarky. Whilst the content is there; the tone detracts from what's trying to be communicated. "So you're the world's greatest security expert" is not an ideal way to start an answer. see workplace.stackexchange.com/help/be-nice
– Rawrskyes
Aug 8 '16 at 2:26
4
@Carson63000 the snark definitely doesn't help; more broadly though I strongly disagree with the whole "yeah we know it has security bugs but don't care enough to spend anything on them" attitude in this answer vs the accepted answer.
– Dan Neely
Aug 8 '16 at 3:39
Would be interested to know what it is about this answer that two people disagreed with enough to downvote it?
– Carson63000
Aug 8 '16 at 0:14
Would be interested to know what it is about this answer that two people disagreed with enough to downvote it?
– Carson63000
Aug 8 '16 at 0:14
4
4
@Carson63000 Likely down voted because it comes across as snarky. Whilst the content is there; the tone detracts from what's trying to be communicated. "So you're the world's greatest security expert" is not an ideal way to start an answer. see workplace.stackexchange.com/help/be-nice
– Rawrskyes
Aug 8 '16 at 2:26
@Carson63000 Likely down voted because it comes across as snarky. Whilst the content is there; the tone detracts from what's trying to be communicated. "So you're the world's greatest security expert" is not an ideal way to start an answer. see workplace.stackexchange.com/help/be-nice
– Rawrskyes
Aug 8 '16 at 2:26
4
4
@Carson63000 the snark definitely doesn't help; more broadly though I strongly disagree with the whole "yeah we know it has security bugs but don't care enough to spend anything on them" attitude in this answer vs the accepted answer.
– Dan Neely
Aug 8 '16 at 3:39
@Carson63000 the snark definitely doesn't help; more broadly though I strongly disagree with the whole "yeah we know it has security bugs but don't care enough to spend anything on them" attitude in this answer vs the accepted answer.
– Dan Neely
Aug 8 '16 at 3:39
suggest improvements |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fworkplace.stackexchange.com%2fquestions%2f73794%2fhow-long-to-wait-before-escalating-security-issue%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
4
You might consider going to the dev's team lead or manager before getting security involved.
– Telastyn
Aug 5 '16 at 16:31
4
I would escalate it quickly. I would shy away from showing academic papers but rather a full blown example of it in action against the code base as a demonstration. Show what you did, how you did it, and how it is a exploit point. If it could "theoretically" be a vulnerability then it will require a bit more explanation on your part but prepare to meet critics. At least you brought your point up then.
– Dan
Aug 5 '16 at 16:37
3
I'd suggest checking out the Disclosure tag over on security.stackexchange.com/questions/tagged/…
– Rory Alsop
Aug 5 '16 at 16:43
@RoryAlsop: That is about public disclosure. If a company employee publicly discloses a security problem of his company then that company employee will be an ex-employee.
– gnasher729
Aug 7 '16 at 21:07
gnasher729 - no, it covers both internal and external. Have a read of the questions. Loads in there on making sure timing is fair and ethical, when and how to escalate, and when to finally go public - which in some cases is absolutely the right thing to do c.f. Whistleblowing
– Rory Alsop
Aug 7 '16 at 22:32