
Ask HN: When to notify employer of security vulnerability? - x0ry
I stumbled upon a recent zero-day for Microsoft Silver Light (CVE-2016-0034 or KB3126036).  Checking my work system, I can see it hasn&#x27;t yet been patched.  It&#x27;s not my job to keep systems secure, I&#x27;m only a developer&#x2F;analyst but ultimately I want to work my way into information systems security + do the right thing.  What do you recommend is the best course of action?  Do nothing?  Wait?  Report it immediately?
======
facorreia
It sounds as simple as sending an email to IT saying "it has come to my
knowledge that there is this security vulnerability in the Silverlight version
that we're using".

And then, probably, forget about it -- being too pushy about demanding an fast
resolution may lose you the points that you'll gain by pointing out the issue.

------
justsorneguy
I would post to an online discussion, to obtain community feedback.

~~~
x0ry
Are you saying like on an internal company blog or something?

------
shogun21
Report it immediately.

