

Ask HN: Submitted security flaw. Was pressed for employer. - Jeremy1026

Recently I submitted a security hole to the creators of a large piece of medical software. This software provides access to sensitive information about patients, as well as privileges such as ordering prescriptions.<p>The flaw I found, and reported, related to password storage. The passwords use a reversible algorithm which I wrote about on my blog [1].<p>After submitting the hole I was contacted by the SEO of the company saying that they would push my report to the developers and that they would be in contact with me. Two weeks following the last communication I reached back out to the CEO to see if there was a status update, and informed them that I would be publishing all of my findings, including the name of the software and code, on April 1, 2013 barring assurance that the issue was actually being fixed.<p>Today I received an email from the CEO as well as an individual who identified themselves as a member of the development team stating that the issue was being worked on and should be patched in 4 weeks. I was satisfied with the response and decided to wait before posting anything further. However, before I could reply to the emails, I received a phone call (I provided my phone number to discuss the issue).<p>During the conversation, with the individual who identified themselves as a developer for the software, the caller assured me that the issue would be fixed. I thanked them and asked to be informed when it was patched so that I update and secure my companies system as needed. After assuring me the issue would be fixed the caller went on for about 10 minutes pressuring me to tell him who my employer was. The whole time I refused, stating the issue was not uncovered due to any business operations, and that I was reporting the issues as an individual, not as a member of the company.<p>So, my question is: Do I ever have to disclose any personal information when reporting a security flaw.<p>[1]http://www.jcurcio.com/posts/obscurity-is-not-security/
======
dmckeon
Disclaimer: I am not a lawyer, certainly not your lawyer.

Are there any contracts between any of the parties: you, your employer, the
software company - that might require you to provide or disclose any
information?

Does HIPAA apply? Did you view any protected patient info?

If I were you, I would not post further publicly until after you consult with
a local attorney who understands both the potential HIPAA issues and your
personal exposure regarding your employer.

Best case - the software company fixes the issue, thanks you publicly, deals
appropriately with whoever signed off on the metamorphosi code, encourages
your employer to give you a raise, a promotion, a 4 week vacation somewhere
pleasant, a personal zeppelin to commute in, and a pet unicorn.

Worst case - the software company portrays you as a hacker (in the worst
connotation), accuses you and your employer of industrial espionage and
violation of patient privacy, sues you and them for significant damages,
encourages the Feds to look into the situation, and your career in programming
takes a very messy turn into legal limbo for a few years. No unicorn, either.

tl;dr: Stop posting details. Get legal advice. Great catch. Good luck.

------
runjake
_> Do I ever have to disclose any personal information when reporting a
security flaw._

No, of course not.

And in this case, I think it would be to your detriment to reveal such
information.

------
chris_dcosta
This is exactly the reason why some choose to notify sec problems anonymously.

You may find that this comes back to bite you badly especially if they
consider your communiqué to be a blackmail-ish threat, even if you did not
intend it to be.

------
Jeremy1026
tl;dr: After reporting a security flaw I was pressed to divulge information
that did not affect the security flaw reported. Do I, for any purpose or
reason, have to give the creators of the software in question this (or any
other identifying) information about myself?

Also, clickable link: <http://www.jcurcio.com/posts/obscurity-is-not-
security/>

------
sp332
Is there supposed to be a link for [1] ?

~~~
Jeremy1026
Sorry, yes there was. Edited it to place it in the post.

