
Ask HN: How to deal with a superior who is unresponsive to a security issue? - lukaslueg
Our CMS people brought in a new shiny frontend for internal review today and I was asked to comment. Knowing the CMS-peoples&#x27; history I took a quick &quot;curl -X POST&quot;-look at the API endpoints and was harvesting the entire customer database through several injection attacks after a few pokes and tries. I told the CMS people - who are contractors - and the superior who is responsible for the CMS not to bring that frontend anywhere near production and what the problem was. When running into him and asking about it, the superior (who is actually not my boss - he can crash on the moon as far as I&#x27;m concerned) just shrugged and laughed about how he didn&#x27;t read my email after it became too technical. I told him about our obligation by law to report data-breach incidents to the authorities in case the thing had gone online and been picked up by a bot. He didn&#x27;t seem to see the light yet.<p>How should I deal with the situation? I don&#x27;t want to be seen as an attention-whore at my company yet the people involved are obviously insensitive to what actually almost happened.<p>Please spare me with advice about how to strong-arm someone, go off the deep end and post our customer database to &#x2F;b&#x2F; or start looking for a new job... I&#x27;m asking for real-life advice here :-&#x2F;
======
alex_hitchins
I would suggest a formal letter to said person rather than an email outlining
your concerns and where you believe laws are being (or could be) broken.
Depending on your environment you could also state that you feel you have an
ethical duty to report the company to any applicable authorities should any
vulnerabilities not be rectified.

------
PaulHoule
(1) Talk to your Boss, (2) Start looking for a new job.

In most companies you can't change your environment via communications,
politics, all that. You can't even change the way things were in the company
by leaving, but you can change your environment by getting a new environment.

~~~
lukaslueg
I tried talking to him but from their point of view the thing is that nothing
actually happened - it was internal review time. I tried explaining to them
that if one goes to the local car dealership, takes out a car for a test-drive
and instead of just the seats and the mirrors being in the wrong place
gasoline starts gushing out of the air conditioning and incinerate the driver,
under no circumstances that would be considered an otherwise uneventful
misfire. Yet they don't see the point.

~~~
PaulHoule
Let's put it this way.

The new head of the CFTC says that cyber attacks are the most severe threat to
the global financial system and he is right.

The main reason for that is that the kind of attitudes you are talking about
are widespread.

------
gjolund
I have been in this situation a couple times, and it can be really stressful.

You will continue to be viewed as "the boy who cried wolf", and you should
expect to be excluded from the decision making process in the future.

Put your thoughts in writing, and start applying for other jobs.

