Ethical quandry over security nondisclosure [closed]

untagged

There was a time where I would suggest taking heroic measures to resolve the situation. I've since learned better -- you cannot force someone to act in their own best interest. Doing so often has unintended consequences for you that are likely to be unpleasant.

Think about it... you've

  • Informed the company via your audit report
  • Informed your management

So if you go and call the CEO at home, you've now done an end-run around your management and created a situation where the internal folks who are doing the CYA thing are going to make you the villain. The CEO will listen to his incompetent staff more than a random consultant who did an audit 3 years ago.

My advice: go have a beer or whatever you like to do and never visit the website again.


First - you don't sell what you know, that's certainly unethical, and may be illegal :)

My second advice would be to go to Marketing Guy's boss, all the way up to the CEO of that company. If you work for an auditing group, they don't care what a company does with the information, just that they got to sell the service in the first place.

Third, if it's really this big a deal, you may be able to start an anonymous (or non-anonymous) marketing/boycotting campaign regarding the insecurity of the site, without actually compromising them.

But better than asking a bunch of sysadmins would be to talk to a reputable lawyer :)


You were hired to perform an audit, so your duty is to the client to inform them of the results of the audit. What they do with it is their business. They have decided the risks versus the cost of change. Not you. If they have a massive security issue and you get a subpoena, you get to testify about the audit results (3 years ago). That's it as far as your obligations.

I've got news for you. The vast majority of companies handle customer data in an insecure fashion, at some level or another. How many DBA's have complete access to all customer data? Very few companies run Oracle Vault.

"Do I just mine the data and sell it to a competitor minus the CC info?"

Only if you want to go to jail.


You may be on really thin ice if you disclose anything. You may get into real trouble for that.

There is a reason for companies having rigorous agreements between each other when pentesting is contracted. The pentesting company need all the protection they can get. Disclosing information you should not can and will get you sued or prosecuted.

Lets say you go to the marketing guy's boss. The boss clamps down on the marketing guy. The marketing guy begins to cover his ass. He may persuade the boss that in order for you to have this information you must have done something illegal, or similar. Even if you will eventually win, you might be in court for a long time.

If they don't want to take it seriously at first approach, pressuring them to taking it seriously will most likely get you into trouble.

For your sake drop it.

EDIT: Furthermore, if the original agreement for the security audit includes specific people you only may inform, informing other in the same company, not included in the agreement, might get you into trouble.


So far as I see it you've done your job. You performed the audit and passed the results on to the relevant person in authority. My advice is to just back away from it, there's nothing more you can really do. Of course the dilemma is that innocent customers could be exposed to the ongoing security weaknesses, but it's not really your problem is it? You can't be taking responsibility for any part of it beyond the remit of your job.

Related

Does a Gateway of a Subnet need to be a "real" Computer?
Should I run my database off of a RAID 5 configuration?
Network bridging - what's the point?
Is being paranoid a required 'quality' for Sys/Net administrators?
Why won't automatic login through ssh with authorized_keys work?
How to remember RAID levels? [duplicate]
Obsessive behaviors in system administrators [closed]
Does Linux really need Anti-Virus (other than hosted file scanning)
Netbook vs. Notebook for Programmers? [closed]
What are the arguments for and against a network policy where the sys admin knows users passwords? [closed]
How to manually create Puppet CA and certificates?
How to disable SSL 2.0 on IIS 7.5? [duplicate]