Do all the things like ++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatarSign Up
C0D4606652yWrite up your findings, put it into an email, and send it to your senior and management, not much more you can do if they won’t take the fight.
Already done this in parts. Might write up a complete thing with all my "findings" in one and send it to my boss and his boss. I'm 100% sure there's a lot more wrong, I don't have a security background and the "tests" I ran were incredibly basic shite that any 12 year old would notice - speaking from experience. I shudder to think what someone more experienced would find.
It's just irritating because from what I've seen, people have known about these issues for bloody years and done nothing, and if one of us goes down, well, it looks like we all bloody sink with em. This crap also costs tens of thousands of dollars yearly, so there's that too.
Sadly it'd take years and the industry isn't exactly a growing one that investors would be into.
I would just check if I would take hit in case something goes wrong here. If not, then do nothing. Most likely it will be that third party that would be blamed and you are OK doing nothing (assuming your conscience can take it).
If you try to bring this issue up it might actually blow up in your face, since you are basically saying or perceived by some as so: "My senior colleagues, possibly management up to CEO are neglecting their responsibilities and are dumb fucks. Please complement me for this finding.".
Fair point, hadn't really thought of it like this, it just irks me that potentially hundreds of thousands, up to potentially millions if this applies to other regions, of people could have their information leaked and the response is that I can't do anything about it despite the main issue just being out of date, free, software. I guess I'll join their ranks and be a profession and wait for it to blow up, at least I warned em, kind of need my job and don't want this falling back on me.
This is a "CYA" (cover your behind) type scenario.
Send an unambiguous, firmly worded email to your boss, and your boss' boss if applicable. Share your findings, make it clear that fixing this issue needs to be a priority to stop customer data being stolen, and if you're able, suggest alternatives to stop this sort of thing happening in the future.
Bcc your personal email address in as well.
Then see what happens. If they follow up, great, if not, then you've done all you can - and if it ever hits the fan, you've got proof you tried to warn them and they didn't listen.
Send your findings to regulatory authorities from your CEOs email :)
Wow! That's a whole new level of blackmailing your customers...
Aren't there any competitors your company can switch to?
Report all the exploits you find to the relevant parties. Give them a deadline to fix it. If they don't, publish your findings. They'll fix it once you've embarrassed them publicly.
geaz3112yOne question, is this a service wich anyone can buy? Or was it a contract work to do the site?
If the second one is the case: Normally you pay for service contracts which contain things like updates due to vulnerabilities. If your company does not have such a contract, good luck to get this fixed without to pay...