• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Standard procedure for security vulnerabilities.........

C

Codewiz

Diamond Member
Ok, a co-worker of mine found a critical flaw in some software we both use. We were examining it and how they implemented some capabilities in a secure manner. We found that there are some serious issues with their implementation and we do not believe there will be an easy fix.

Anyways, my co-worker has let the company know about the issue and provided a proof of concept demonstrating the flaw. How long should a person wait for a company to either fix the problem or warn their users of the possible consequences from continued use?

The severity of the flaw is just so mind-blowing, we just can't see letting the company sit on this for weeks while people could really be damaged by it.
 
Is this software something your company purchased? There may be language in the contract about resolving security vulnerabilities. I would also report it to your IT and/or information security departments.
 
Originally posted by: Codewiz
Ok, a co-worker of mine found a critical flaw in some software we both use. We were examining it and how they implemented some capabilities in a secure manner. We found that there are some serious issues with their implementation and we do not believe there will be an easy fix.

Anyways, my co-worker has let the company know about the issue and provided a proof of concept demonstrating the flaw. How long should a person wait for a company to either fix the problem or warn their users of the possible consequences from continued use?

The severity of the flaw is just so mind-blowing, we just can't see letting the company sit on this for weeks while people could really be damaged by it.
Click to expand...

I've been in this position myself, twice, with two companies, whose names I will change to protect the innocent.

Company A, upon hearing of my discovery of a similar flaw, was immediately concerned, thanked me heartedly, and set about fixing things right away. A fix was out within a week.

Company B, larger and more "established" than Company A, thanked me for my "criticism" and proceeded to ignore the problem altogether.

So, Codewiz, I'd say that if you haven't heard a reply within a week, assume your software provider doesn't care and switch to something that is secure.
 
The company eventually responded and have since taken down the feature.

If they had not taken it down, I believe it would have been a blood bath if we had gone to the media with this vulnerability.

We doubt this feature will be back from the company because we just don't feel there is a secure way to implement it.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top