
Ask HN: To expose a security flaw or not? (at a company where I Interviewed) - ziggystardust
tl;dr: hacked into potential employers web app, gained access to client details. can&#x27;t decide whether to tell them or keep quite. help!<p>I recently interviewed at a company for product engineer position. 
I got a decent offer from them, but for some personal reasons I could not accept it.<p>Before going in for the interview.. I did a little bit of research on their company and found a few security flaws in their web app through which I was able to get access to most of their client details as well. 
now, I&#x27;m confused whether to help them out with the issue or to keep it low considering there are chances of it backfiring on me (though I had a good time during the interview process and a healthy conversation with the people there)<p>what would you do?
======
mariuolo
I don't think you have anything to gain from telling them and potentially much
to lose.

All it takes is an obtuse manager or a lawyer wanting to cover the company's
back (they could be required by law or by contract to disclose any successful
penetration) or just a prosecutor eager for another notch on the belt.

Perhaps those are extreme cases but I wouldn't take the chance if I were you.

------
new_hackers
Let them know privately, then forget about it. (Forgetting about it includes
deleting your copy of the client data.) You declined the offer, so its not
your problem. However, as a good netizen, you can gain some good karma by
letting them (and only them) know about it. Who knows, your good deed may open
up opportunities down the road.

~~~
NetStrikeForce
Karma doesn't exist. Just drop them an anonymous email if you really feel the
need to do something.

~~~
ziggystardust
Sounds like a good idea!

Is there a way to leverage the client info if it's an anonymous tip?

~~~
NetStrikeForce
I'm not sure I understand your question (non-native speaker here). What kind
of leverage are you after? There's no benefit on this, apart from peace of
mind, helping other without getting your ass busted or doing the right thing.

~~~
ziggystardust
right now I hold access to almost all of the clients data and web servers. by
leverage I mean to ask how I could use this to my benefit

------
Lordarminius
You may want to read this article [https://techcrunch.com/2016/09/20/hacking-
for-investor-profi...](https://techcrunch.com/2016/09/20/hacking-for-investor-
profit/)

