Um...Not quite.

Ok, you're the Security Specialist. We all appreciate that you're trying to do your job. However, there "should be" company policies and procedures on what to do if something like this is found.

In the case that there are no policies or procedures it is up to you, the Security Specialist, to create these policies and procedures to the best of your ability and with a whole lot of CYA built in.

Then, there is a nice big paper trail to follow on any possible exploit. If your company does not agree to this, it may be time to find another job. However, you should NEVER actually disclose information about a vulnerability to the general public until a fix is in place. If the company refuses to do anything about the but, and has been warned, report them to the State's Better Business Burearu for unethical business practices.

However, if you wish to keep your job and not be slapped as a business troublemaker, either leave a large paper trail or quit. Either way, keep your mouth shut in the public forums so that you don't get in trouble with the new computer laws.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/179/21615#21615