Hypothetical situation with finding vulnerabilities in employer's products

[BlackDragon]

Hi,

Lets say in a hypothetical situation, I believe there are some serious security vulnerabilities in the software we write/maintain. In this hypothetical situation, I want to prove this vulnerability exists and the effect it has, with no intention to disclose it to anyone outside of the company. I do this out of curiosity and to prove a point, which indirectly benefits my employer. I also do this out of work hours, and without my employer asking me to do such a thing.

I understand that an unsanctioned action like this would potentially cause a lot of displeasure toward me, as first it was unsanctioned, and secondly it 'rocks the boat'. On the other hand, it saves potential public embarrassment for the company.

What would you do in such a situation where you found and proved vulnerabilities (but not disclosing them) outside of work hours, and was unsanctioned? Would it be wrong? Would it be right to be on the receiving end of any wrath dealt by the employer?

 

[derfderfley]

Simple plan;
1> inform your manager of the problem
2> build a test rig with the software on
3> demonstrate the bug
4> profit?

Never, ever prove your point against a live system without written permission from the company involved legal department!

 

[topdog@OC]

Are these products supported by a support team? Can the incident details describing the vulnerability be given to them, so they can log it with development to address?

Apart from developers being sometimes being snobbishly defensive/dismissive of the impact of some vulnerabilities to their code, better to have them reported so they can decide whether to do anything about it.

As derfley says though, performing intrusion/vulnerability tests against a live system is a no-no, even if it is for "the greater good". So if you already have, keep that under wraps forever, and just propose a vulnerability hypothesis and enquire as to whether there is a non-production system available to check this out further.

If there's a chance they could inspect access logs for the live system to see if anybody has tried to take advantage of this already, and you have, and they trace it to you (and I'm presuming it's a company you work for), it could lead to disciplinary action for which you'd have little come back, so if that might be a possibility in your situation then maybe forget about it - it's not your cross to bear.

The reason this would be super frowned upon, is due to the risk such things may have had upon the system causing some kind of problem (real or imagined doesn't really matter, they have the upper hand in such arguments).

 

[BlackDragon]

I am one of the developers for the products (vulnerabilities nothing to do with me!).

I agree, no way I would test it against a live system. I was confirm the vulnerability with my own test system.

I'm more concerned that I would be 'rocking the boat' by raising these serious vulnerabilities, and whether I would be deserving of any ill feeling.

 

[topdog@OC]

Deserving, no, but at the end of the day it comes down to your company's culture and politics.

 

[ZombieFan]

Since you are one of the developers, can you just report it as a bug?

 

[dave-lew99]

If management or other developers do not like the fact you have found an issue then i'd say you're working for the wrong company!

Staff should be actively encouraged to report problems of any sort.

 

[aln]

I am one of the developers for the products (vulnerabilities nothing to do with me!).

I agree, no way I would test it against a live system. I was confirm the vulnerability with my own test system.

I'm more concerned that I would be 'rocking the boat' by raising these serious vulnerabilities, and whether I would be deserving of any ill feeling.

I honestly wouldn't have given it a second thought. Test it on your dev system, create a bug report, and do whatever you're supposed to do with them.

Sounds like you're afraid of bashing someones ego, and the repercussions of doing so, or that you want to prove a point to get ahead. In either event, as long as you handle the situation amicably and can back up your point, you shouldn't be worried.

Why spend your free time working for free, when you could be working for yourself? I suspect the end you hope for will never really come. I doubt you will gain anything from it.