Re: Decision

Peteris,

> Due to bug, any source file can be read and the <the company> has spent

So as I understand it, there's no immediate threat to the integrity or confidentiality of the customer data?

> Whats the best - report the bug and possible workarounds or let it

A valid concern. If you are in a position such that you should have inside information about the system (like took part in its development), I'd say you have an ethical responsibility to notify the company. If customer data is in danger and the company won't do anything about it, then I'd say you have a responsibility to go public, but I would consult a lawyer before doing so.

If you're not in a position that they can finger you, then I'd say, report it to them anonymously. I don't know what options exist these days for anonymous remailers, but a Hotmail account from an Internet cafe will probably do the trick. That will allow you to do the right thing with a minimal possibility of repercussions.

My 2-bits,
Terry

import StandardDisclaimer; Received on Thu Jun 5 18:07:27 2003

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek