
Ask HN: Security vulnerability in deployment – what to do? - erlehmann_
Around 1.5 months ago, I found a security vulnerability in a web page I developed, which was deployed by another person: A GET to an easily-guessable URL gives away a file containing a password with which one can login and modify content.<p>I reported that vulnerability immediately to the person deploying it and he answered he would look into it and reply. He did not. I sent two followup emails regarding the issue and did not get any reply.<p>What should I do to get the issue fixed? My first idea would be to notify the customer, but I am certain the customer can not fix it.
======
blackflame7000
Its hard to say what your best course of action is without seeing the
development agreement. In mainly comes down to whether or not you guaranteed
any warranties on your product.

If you did make such assurances, Your best course of action is to start a
paper trail to document your corrective actions(looks like you have already
started). Additionally, if the vulnerability is likely to cause damage to the
consumer if exploited, you should notify both the customer and the deployment
developer in an email. That will at least make the client aware of the problem
so they won't be blindsided if it is exploited.

Its much better to come clean and fix a small problem now, than it is to
ignore it and have the small problem turn into a huge problem. Patches happen
all the time.

