[nessence]

Unfortunately, this is a common response from upper management.

In larger companies, one way to get around this, is to go to Human Resources instead of your chain of command. Let them anonymously handle this issue. If your company doesn't take action then you can continue discussing the matter with HR until it's resolved.

If the company isn't large enough to have an employee handbook and HR then could report to an officer of the company and note that you wish to remain anonymous and that you're genuinely concerned about company security.

You could also consider requesting a meeting with officer+manager or HR+manager and disclose to both at the same time.

I don't see any company in their right mind firing you if you do this -- and are genuinely concerned for the security of your employer and it's clientele.

[tptacek]

I would definitely not take this issue to HR. HR is not there to help you. Mostly, they're there to screw you out of a little bit more of your health insurance benefit every year. Escalating this above your manager is really just an opportunity to brand yourself "high drama".

You really ought to just have a conversation with your manager where you acknowledge that you have just learned that he doesn't want you testing the dev server for security vulnerabilities, and then you ask him what the most effective way is for the company to channel your interest in security.