Ask HN: Security vulnerability in deployment – what to do?

3 points by erlehmann_ ↗ HN
Around 1.5 months ago, I found a security vulnerability in a web page I developed, which was deployed by another person: A GET to an easily-guessable URL gives away a file containing a password with which one can login and modify content.

I reported that vulnerability immediately to the person deploying it and he answered he would look into it and reply. He did not. I sent two followup emails regarding the issue and did not get any reply.

What should I do to get the issue fixed? My first idea would be to notify the customer, but I am certain the customer can not fix it.

1 comment

[ 3.4 ms ] story [ 10.2 ms ] thread
Its hard to say what your best course of action is without seeing the development agreement. In mainly comes down to whether or not you guaranteed any warranties on your product.

If you did make such assurances, Your best course of action is to start a paper trail to document your corrective actions(looks like you have already started). Additionally, if the vulnerability is likely to cause damage to the consumer if exploited, you should notify both the customer and the deployment developer in an email. That will at least make the client aware of the problem so they won't be blindsided if it is exploited.

Its much better to come clean and fix a small problem now, than it is to ignore it and have the small problem turn into a huge problem. Patches happen all the time.