[cowward]

I actually awoke one night about a week ago, fretting about SQL injections in the site. Upon checking my code my fears were confirmed. I did test the exploit on the live site but didn't actually access the database, just confirmed that it worked.

Have you ever heard of an organisation taking action against a former developer for reporting something like that? If I had a builder build me a house, and he came round a year later to tell me that my walls weren't strong and anyone could just break them down I would be pretty upset.

[eksith]

Not directly, no. But anecdotally, and on rare occasion, I've heard of legal teams jumping to conclusions etc... and really coming down hard on people who disclose to former employers.

At this point, the option with the fewest risks to your name, if you chose to use it in the disclosure, would be to exclude any mention of the live site completely. Make it appear so that this is only something that you came across on the code and, with your best linguistic poker-face, strictly keep to the code alone without even marginally grazing the live site.

Besides that, you should try and relax a bit. I know, it's easy for me to say, but that will help you come up with the right words. You also have to keep in mind that even though it's a pretty serious bug, it's still A bug. This will far from destroy the company if fixed immediately, as you say, it's a pretty simple fix. You shouldn't imagine the worst case scenario.