Ask HN: How to deal with a superior who is unresponsive to a security issue? Our CMS people brought in a new shiny frontend for internal review today and I was asked to comment. Knowing the CMS-peoples' history I took a quick "curl -X POST"-look at the API endpoints and was harvesting the entire customer database through several injection attacks after a few pokes and tries. I told the CMS people - who are contractors - and the superior who is responsible for the CMS not to bring that frontend anywhere near production and what the problem was. When running into him and asking about it, the superior (who is actually not my boss - he can crash on the moon as far as I'm concerned) just shrugged and laughed about how he didn't read my email after it became too technical. I told him about our obligation by law to report data-breach incidents to the authorities in case the thing had gone online and been picked up by a bot. He didn't seem to see the light yet. How should I deal with the situation? I don't want to be seen as an attention-whore at my company yet the people involved are obviously insensitive to what actually almost happened. Please spare me with advice about how to strong-arm someone, go off the deep end and post our customer database to /b/ or start looking for a new job... I'm asking for real-life advice here :-/ |