Ask HN: When to notify employer of security vulnerability?

Y	Hacker News new \| ask \| show \| jobs

	Ask HN: When to notify employer of security vulnerability?
	2 points by x0ry 3812 days ago
	I stumbled upon a recent zero-day for Microsoft Silver Light (CVE-2016-0034 or KB3126036). Checking my work system, I can see it hasn't yet been patched. It's not my job to keep systems secure, I'm only a developer/analyst but ultimately I want to work my way into information systems security + do the right thing. What do you recommend is the best course of action? Do nothing? Wait? Report it immediately?

3 comments

facorreia 3812 days ago

It sounds as simple as sending an email to IT saying "it has come to my knowledge that there is this security vulnerability in the Silverlight version that we're using".

And then, probably, forget about it -- being too pushy about demanding an fast resolution may lose you the points that you'll gain by pointing out the issue.

link

justsorneguy 3812 days ago

I would post to an online discussion, to obtain community feedback.

link

x0ry 3812 days ago

Are you saying like on an internal company blog or something?

link

shogun21 3812 days ago

Report it immediately.

link