Ask HN: When to notify employer of security vulnerability? I stumbled upon a recent zero-day for Microsoft Silver Light (CVE-2016-0034 or KB3126036). Checking my work system, I can see it hasn't yet been patched. It's not my job to keep systems secure, I'm only a developer/analyst but ultimately I want to work my way into information systems security + do the right thing. What do you recommend is the best course of action? Do nothing? Wait? Report it immediately? |