← Back to context

Comment by calvinmorrison

4 days ago

> By even flagging the issue and the potential fallout, I’ve put my career at risk.

Simple as. Not your company? not your problem? Notify, move on.

5 comments

calvinmorrison

Reply
dspillett  4 days ago

I read that post as him talking about their company, in the sense of the company they were working for. If that was the case, then an exploit of an unfixed security issue could very much affect them either just as part of the company if the fallout is enough to massively harm business, or specifically if they had not properly documented their concerns so “we didn't know” could be the excuse from above and they could be blamed for not adequately communicating the problem.

For an external company “not your company, not your problem” for security issues is not a good moral position IMO. “I can't risk the fallout in my direction that I'm pretty sure will result from this” is more understandable because of how often you see whistle-blowers getting black-listed, but I'd still have a major battle with the pernickety prick that is my conscience¹ and it would likely win out in the end.

[1] oh, the things I could do if it wasn't for conscience and empathy :)

  • calvinmorrison  3 days ago

    No i mean, 'a company you own'. At the end of the day you're just a worker getting paid to produce output. cross your I's and dot your T's and whatever else and then clock out.

    • dspillett  3 days ago

      Even keeping to the 9-to-5 you can make your displeasure at being insecure know. And if the security issues come to a head and it damages the company, you could be out on your arse if the company dies or needs to cut costs. In the current environment is a lot worse than it would have been five or ten years ago, and that same environment likely limits the “I don't like it so I'll just leave” options that are available.

      I'm lucky, I have options¹ and it is looking like I don't need them²³, but many are not so lucky.

      --------

      [1] I made serious enquiries about a couple of them when the recent take-over was announced, just in case…

      [2] the new corporate masters seem to be doing more than talking the talk, and on quality matters we were already doing things right and the new overlords don't appear to have any desire to change that

      [3] well, at least not on these matters, there are a few cultural changes that I need to get used to or get away from, largely due to being a bigger organisation now, but they aren't wrong just a little further from my preference than things were before.

Aurornis  4 days ago

Their websites says they're a freelance cloud architect.

The article doesn't say exactly, but if they used their company e-mail account to send the e-mail it's difficult to argue it wasn't related to their business.

They also put "I am offering" language in their e-mail which I'm sure triggered the lawyers into interpreting this a different way. Not a choice of words I would recommend using in a case like this.

  • kjs3  3 days ago

    This is a good point. I think we get a couple of emails a week for exactly this kind of bottom feeder 'consulting firm' 'offering' to tell us all about some massive security issue they found, as long as we sign up for a 'consulting engagement'[1]. On the other hand, we generally ignore them, not threaten to sue them.

    [1] We get about as many 'pay us a bounty or we'll tell the world about this horrid vulnerability we found'. I have suggested to legal we treat those like extortion attempts to make them go away and stop wasting our time but legal doesn't want to spend time on it.