Jump to content

Delemma, Expose (or not) App Security Holes to Prospective Clients


Recommended Posts

I'm running across this more and more.  Prospective client gives access (w/o NDA) to (relatively) secure solution for the purpose of generating a project specification and project estimate. Usually the SOP is some add-on module or feature enhancement - in other words, not a major overhaul of the current solution.  In the due diligence, security holes are discovered, to varying degrees of insecurity.  This really becomes an awkward situation when the current solution is provided by a third party OEM and leased by the client.  To make matters worse, the prospective client decides NOT to proceed with the project so there is no financial benefit to giving away consulting services.


Options are:


A: Do not notify the prospective client their solution is insecure and move on.


B: Notify the client their solution is insecure even though they are not the code authors and can't fix it without contacting the vendor.


C: Notify the vendor they have insecure code even though there is no financial incentive to do so - and likely violates terms and conditions for the client.


D: Sell the exploit knowledge on some hacker forum... ( just kidding, this IS NOT really an option - toungue and cheek people... ).


There are plenty of recent cases in the news where dudes hacking systems (usually without permission) but without nefarious/malicious intent, have been arrested and charged.  For example, last months airline hack... http://thehackernews.com/2015/05/fbi-plane-hacking.html


What'd Ya Think?

Link to comment
Share on other sites

You aren't obligated to do work for them in advance of securing the contract.

Once you get the contract, that's a good time to provide them the information, either as an FYI as part of what you're doing, or as an upsell, if there are things you can do to add security to your solution.

Link to comment
Share on other sites

I would definitely tell them. Not sure what the laws are in the US but I haven't run in any trouble so far. It's not like your hacking their software plus it gives them an incentive to choose you now and in the future.


I found they can appreciate someone with proper knowledge of things, someone they can trust and build their business on. That's what you do as a freelancer after all, build relations.

Link to comment
Share on other sites

Great feedback gents!


I'll probably share some documentation identifying the problem code.  They can then pass that along to the vendor if they feel the hole is significant enough.  Up till now, I've been using the insight more for my education (as in what not to do) then a means to sell a service.  But in some instances, the hole was a security liability and should be fixed.


Any input is appreciated.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.