

Ask HN: How should I disclose a vulnerability in a site I worked on? - cowward

I worked on a website just under 2 years ago. I recently discovered an SQL injection vulnerability which could easily allow any semi competent attacker full access to the database which contains personal details. It&#x27;s an easy fix, I must have forgotten to escape some inputs. The problem is, I no longer have access to the server and the organisation has heavily restructured with my primary contact having left.<p>My questions are:<p>-Under UK law, can I be prosecuted if the site is compromised?<p>-Are the organisation likely to take action against me if I report the vulnerability?<p>-Would it be a good idea to disclose the vulnerability anonymously?<p>Thanks.
======
eksith
I'm not too familiar with UK law, however, the ethical thing to do would be to
reveal the vulnerability.

It would be helpful to know how you managed to come across the vulnerability.
Did you scan your own code and see the oversight? If so, then you don't
(hopefully) have anything to worry about in reporting. However if you probed
the website, then that's a different matter entirely.

It may just come down to how you word the disclosure. If you can somehow go
back to your original work and submit the code directly, then you've
independently verified the vulnerability without having to display it on the
site itself. Something along the lines of "I was going over some of my old
code and came across this. If the same code is active on the site, I believe
this could be a live vulnerability." Or something like that.

~~~
cowward
I actually awoke one night about a week ago, fretting about SQL injections in
the site. Upon checking my code my fears were confirmed. I did test the
exploit on the live site but didn't actually access the database, just
confirmed that it worked.

Have you ever heard of an organisation taking action against a former
developer for reporting something like that? If I had a builder build me a
house, and he came round a year later to tell me that my walls weren't strong
and anyone could just break them down I would be pretty upset.

~~~
eksith
Not directly, no. But anecdotally, and on rare occasion, I've heard of legal
teams jumping to conclusions etc... and really coming down hard on people who
disclose to former employers.

At this point, the option with the fewest risks to your name, if you chose to
use it in the disclosure, would be to exclude any mention of the live site
completely. Make it appear so that this is only something that you came across
on the code and, with your best linguistic poker-face, strictly keep to the
code alone without even marginally grazing the live site.

Besides that, you should try and relax a bit. I know, it's easy for me to say,
but that will help you come up with the right words. You also have to keep in
mind that even though it's a pretty serious bug, it's still _A_ bug. This will
far from destroy the company if fixed immediately, as you say, it's a pretty
simple fix. You shouldn't imagine the worst case scenario.

