

Ask HN: Found a major vuln in competitor's software. What now? - badsamaritan

Hi everybody,<p>Let's assume that I have a web app, and I have a competitor, with very similar product. I found a major vulnerability in their software and I can destroy all of their data.<p>Usually, if I find something like this in someone's software I would write him an e-mail, because I am a nice person. This is a good thing to do, right?<p>But in this case I just don't know what to do. I don't want to lower my karma, destroying their business, plus it sound like a real crime. But I don't want to tell them either — they are my competitors.<p>What would you do?
======
jgrahamc
Tell them; be a mensch; life is long.

Many years ago when the web was young I worked for a company that had
accidentally left its intranet open to the web. We didn't know. It was hard to
find, but if you knew the URL you could access it (on some weird port).

But on the intranet was a link to a competitor. The competitor found the
intranet because it appeared in their referrer logs. One of our employees had
clicked through to the competitor and left a trail.

The CEO wrote to us and told us. Looking at our intranet logs we knew that
they only looked at that one page.

The CEO of that company became a fairly well known VC. All of us had a great
deal of respect for his actions. They could have accessed details of our
product plans, revenue and employees.

Ultimately, his company was more successful than we were.

------
staunch
Tell them, very anonymously. You don't want to risk them accusing you of
anything. Or, just forget it about it completely, which is probably the safest
option.

Do not do anything destructive. It would be highly illegal and you could
_very_ possibly end up losing years of your life in prison. It's not worth it.

------
DanBC
Cautiously: tell them.

You want to protect yourself from retaliation. It's not unknown for people who
report vulns to be prosecuted.

Obviously don't use it. That risks not just your business but a prison
sentence.

------
basdevries
Just tell them, if you do it correctly, you might get to know your competitor
a little better and over time, there might be a way for you guys to focus on
different markets with the same products, discussing difficulties you both
have and so on. Eventually you want to look yourself in the mirror and be
happy with what you've accomplished, and not be ashamed of what you've
accomplished.

------
outericky
Don't be evil. Tell them or don't. Don't exploit it.

Edit: I would tell them.

------
HarryHirsch
Here are the options: a) keep silent, b) exploit it, c) tell them,

c) is the worst option; there are enough examples of people getting busted for
"hacking", double so for hacking a competitor. b) is better. If done with
caution you will not get busted, and you will get richer. a) is an acceptable
altenative. You will not make money, but you won't get busted either.

It's sad, but we live in a time where honor and fair dealing is not
recognized, and we must live with it.

~~~
tptacek
This is where we're at with HN now? Comments cheerleading people into
committing felonies?

~~~
HarryHirsch
Your sarcastometer needs to be returned to the manufacturer for major
overhaul. It has lost calibration. (Actually the last line in my comment
should have given it away, it recalls a comment on Seneca the Younger by a
French philosopher, can't remember the name. He called him "a man of honour in
a time when such did not exist".)

The comment was supposed to make two point: first there is this prevalent
opinion here that market forces will invariably guarantee an outcome that is
beneficial to society. This would suggest option b) or c) for the OP,
dependent on his skills and connections. I dislike both, and so do you.

Also, both of us know that people have gotten into trouble for disclosing
vulnerabilities, even when they were disclosed only to the owner/manufacturer.
This isn't acceptable, neither to the person who pointed this out, nor to
society in general, because it leads to vulnerabilities left unfixed, and
unfixed vulnerabilities have a knock-on effect on the wider world.

~~~
tptacek
After reading this comment and re-reading your first comment, I've come to the
conclusion that we work from different definitions of the word "sarcastic".

------
mgirdley
This is a no-brainer: tell them. Yes, they're your competitors but when they
find out your accountant is stealing from you, wouldn't you rather they told
you?

------
centdev
Tell them. If you can't win the market by being better than them, exploiting
it to make them fail means you already have.

------
logn
Forget you knew this and get back to your life. Did we learn nothing from
Weev? Do you think your competitor might like seeing you in federal prison?
All it takes is one jerk at your competitor's company (or any of their
investors) to call in the feds.

~~~
tptacek
If he actually exploits the vulnerability, calling the police doesn't make
them jerks.

------
shail
Write a blog about it. That way you will have told them about it and also your
prospective customers. So win-win for both. They get to fix it and you
probably get more customers.

Obviously it can happen to you as well so be prepared.

------
samfisher83
If it were bill gates he would probably delete all their stuff.

I am not saying you should do it, but a lot of successful people got to where
they are without being too nice.

------
kohanz
I find these decisions are easier to make if you reverse the roles. If you
were in their shoes, what would you want/expect your competitor to do?

------
ankurdhama
Tell them, becoz the safety of the users is more important then your
competition.

------
shakiba
Send same email again, but this time to their enemy! [kidding]

------
orangethirty
Send an anonymous tip

