4

What would you do if you discover a major security flaw in an enterprise product that claims to be secure and has GDPR compliance? Like a really major flaw in a core feature of the product!

Comments
  • 1
    As a dev or as an outsider?
  • 1
    Good question. As a dev?
  • 2
    Immediately report to PM
  • 1
    Make a PowerPoint presentation about the dangers, potential mony loss and your solution. Then schedule a meeting with the CTO and Compliance and the GDPR Officer.
  • 0
    PowerPoint presentation? Instead, said dev can just use flaw and let management learn from mistake. 😂
  • 5
    Report it to the company.
    Then...
    If you're external: tell them that you will report it to the authorities in two months. Do not answer to any of their non-technical queries.
    If you're internal: once it's clear that they will not fix it report it to the authorities anonymously without telling them. Your obligations to the laws and the users that are put in danger (usually) outrank your obligations to the company.
  • 1
    @srshah19 you have to speak the language of those people. Their knowledge about technology is not that big as yours. So you have to translate the problem into easy understandable terms and that is cents and Euros.
  • 6
    Report it anonymously so you're not accused of "hacking." Humans are fearful and disgustingly stupid creatures, and often think that effects are causes. They may very well blame you for the existence of the flaw simply because you found it, and will absolutely blame you for any new damage caused by said flaw.

    Doesn't matter if it doesn't make sense.
    Keep yourself safe.
  • 2
    I assume im outsider.
    1. Check if there are bounty programmes by given company. allways nice to have.
    2. Report to company.
    3. After month of no fix, report it anywhere where it needs to go to make it hot for them.
    4. If there are valid reasons to apply CVE, do it.
    5. After next few months if no fix, annonymously publish there is exploit without any detail how etc.
    6. wait month or so, if no dice publish exploit with script or something. At that point its clear that company dosent give a single piece of broken fuck about customers anyway. But appearance hurts.
Add Comment