[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Whistleblowing Security Flaws

Posted on 2009-04-27
6
Medium Priority
?
187 Views
Last Modified: 2012-05-06
During some testing, I have uncovered some security issues in some software utilized by my company.  I contacted the vendor who provided work arounds for the issues but have not solved the problem.  It has been several months.

I would like to bring these to public light to bring some pressure on the vendor but need to do so anonymously.

Ideas?
0
Comment
Question by:RPPreacher
  • 3
  • 3
6 Comments
 
LVL 13

Expert Comment

by:AielloJ
ID: 24241060
RPPreacher:

Are you a manager or executive at your company?  If not, outline your concerns in a letter to your management.  Explain what could happen if the flaws remain unresolved, and your contacts with the vendor attempting to get them fixed.  If your company handles sensitive data that could be compromised, outline that also.  This path should positively impact your reputation with your company.

If you're the owner or executive of a small company trying to get resolution and feel you're being ignored, a similar letter to the executives of the vendor is probably the best route.

Although you didn't say so in your post, I'm assuming that everything to this point has been verbal.  Verbal gets lost, mistranslated, and forgotten, very easily.  Putting the concern in writing often gets a better response, especially where security is involved.  If it ever came to some sort of litigation, whether with your company or another company, the existence of a written document warning them of the flaws could easily cause them to lose the case.

One other suggestion.  Find a way to contact the executives at the vendor's company.  If you're dealing with the staff at the 800 number, they usually don't have the ability to escalate persistent issues to the proper management level.
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 24241189
Our C-level is aware of the issue.  The vendor is aware of the issue.  The security hole is causing a software re-engineer with no defined fix date.  I would like to encourage the vendor to work faster by creating additional support pressure from other end users.
0
 
LVL 13

Expert Comment

by:AielloJ
ID: 24241321
I'm assuming that your corporate offices and the vendor are aware of the issue in writing, with the risks also outlined in writing.  If this issue is critical, and has persisted for some time, the vendor should be willing to give a fix date.

If the vendor is a major player, you might post questions on any blog sites catering to the product asking how others have gotten around the security holes.  It may cause people to look at their own installations to verify the security hole.

Could you give more details on the type of industry and the severity of the hole?  Is it banking, or medical, etc?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 20

Author Comment

by:RPPreacher
ID: 24241648
We are not banking or medical or any other industry impacted by regulatory issues (HIPAA and the like).

The issue applies to a linux appliance which is a fairly big name in its sector.  Fairly common deployment.  Let's say its akin to a URL filtering appliance (it isn't).  Any industry *could* have it but might not have this brand or even this function.

I found 2 issues by chance.

1.  Using telnet, I could send root level commands to the linux subsystem given specific circumstances.
2.  The appliance stores unencrypted domain usernames and passwords in a log file.  This log is accessible to the outside (public facing) by accessing a specific URL.

I have written trail of working with the vendor on resolving.  I am concerned about my liability in making this issue publicly known more than anything else.

Any ideas on remaining anonymous?  Most of the details above are modified enough to CYA.
0
 
LVL 20

Author Comment

by:RPPreacher
ID: 24241657
This is a fairly big vendor.  You would very likely know the name if I posted it.
0
 
LVL 13

Accepted Solution

by:
AielloJ earned 2000 total points
ID: 24241857
Sounds like a tough situation.  First make sure you CYA in writing to both your management and the vendor, which it sounds like you did.  I'm not certain there's a liability for exposing a risk.  I'd get the blessing of your corporate office before doing so - just to protect your employment.

The only thing I can think of to get action yet remain anonymous would be to contact technical security organizations that test products and publish their reports.  Most of them would probably be interested in taking your concern and running with it, especially since it would make good press for them.

0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
The Internet has made sending and receiving information online a breeze. But there is also the threat of unauthorized viewing, data tampering, and phoney messages. Surprisingly, a lot of business owners do not fully understand how to use security t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question