My team manager showed me a web application of a new client and asked me if I can find vulnerabilities in it to push for a better product contract. She showed me the system architecture and asked me if I could try finding something from their login page. I politely refused since we don't have written permission to conduct a security audit (it's also a ministry website). She was pretty disappointed and idk if I'm doing the right thing not helping the company (I'm an intern but still). I'm sure I can scan in stealth but I don't think it's ethical on a corporate level. Thoughts?

  • 15
    you have done it correctly! Never do such a thing without a written contract and signed disclaimer!
  • 13
    As an intern, the company has plausible deniability and can throw you under the bus. You made the right choice.
  • 12
    Unless the company owns it, or has a contract to pentest it. You refuse, the company may not like it, but it's your ass on the firing line if they deny any involvement if push comes to shove.
  • 1
    Very good call you made here. I also would have refused, and quite frankly I'd be looking for new work after being asked that.

    Goodness knows what else they'll try and throw at you...
  • 1
    @AlmondSauce Oh no, my manager is a nice lady. I think it's just that she's eager to improve the project quote and is not really knowledge about the nuances of security. Her argument was that since it's out on the internet, it would be subjected to attacks anyway.
  • 1
    @exceptionalGuy I'm not sure I quite buy that. She might be nice, but knowing that it's rather illegal to attack something that's not your own (and you haven't been given permission to attack) isn't really knowing the "nuances" of security, it's almost common sense, otherwise any kind of hacking would be legal "becuase it's on the internet and it's going to get hacked anyway."
  • 1
    @AlmondSauce I get what you mean but for someone who's not really specialising in such matters, it'd be a lot easier to be ignorant than you imagine. I'd have an issue if she pressed me to do it. It's an innocent mistakes otherwise. I'm quite patient with people anyway. xD
  • 0
    Propose to use report from shodan.
    They’re scanning entire web for you.
  • 1
    It would probably be worth contacting your integrity officer about, if your company is large enough to have one.
  • 0
    I think you could have asked her for legal proof that the company asked you to it and they take full responsibility for it. Not sure though, I don't have much experience in legal stuff.
  • 0
    Smart move refusing
  • 0
    Your team manager could always be an industrial spy for another company..
Add Comment