| ▲ | calvinmorrison 4 hours ago | |
> By even flagging the issue and the potential fallout, I’ve put my career at risk. Simple as. Not your company? not your problem? Notify, move on. | ||
| ▲ | Aurornis 21 minutes ago | parent | next [-] | |
Their websites says they're a freelance cloud architect. The article doesn't say exactly, but if they used their company e-mail account to send the e-mail it's difficult to argue it wasn't related to their business. They also put "I am offering" language in their e-mail which I'm sure triggered the lawyers into interpreting this a different way. Not a choice of words I would recommend using in a case like this. | ||
| ▲ | dspillett 2 hours ago | parent | prev [-] | |
I read that post as him talking about their company, in the sense of the company they were working for. If that was the case, then an exploit of an unfixed security issue could very much affect them either just as part of the company if the fallout is enough to massively harm business, or specifically if they had not properly documented their concerns so “we didn't know” could be the excuse from above and they could be blamed for not adequately communicating the problem. For an external company “not your company, not your problem” for security issues is not a good moral position IMO. “I can't risk the fallout in my direction that I'm pretty sure will result from this” is more understandable because of how often you see whistle-blowers getting black-listed, but I'd still have a major battle with the pernickety prick that is my conscience¹ and it would likely win out in the end. [1] oh, the things I could do if it wasn't for conscience and empathy :) | ||