Jump to content
Sign in to follow this  
rwhite35

Delemma, Expose (or not) App Security Holes to Prospective Clients

Recommended Posts

I'm running across this more and more.  Prospective client gives access (w/o NDA) to (relatively) secure solution for the purpose of generating a project specification and project estimate. Usually the SOP is some add-on module or feature enhancement - in other words, not a major overhaul of the current solution.  In the due diligence, security holes are discovered, to varying degrees of insecurity.  This really becomes an awkward situation when the current solution is provided by a third party OEM and leased by the client.  To make matters worse, the prospective client decides NOT to proceed with the project so there is no financial benefit to giving away consulting services.

 

Options are:

 

A: Do not notify the prospective client their solution is insecure and move on.

 

B: Notify the client their solution is insecure even though they are not the code authors and can't fix it without contacting the vendor.

 

C: Notify the vendor they have insecure code even though there is no financial incentive to do so - and likely violates terms and conditions for the client.

 

D: Sell the exploit knowledge on some hacker forum... ( just kidding, this IS NOT really an option - toungue and cheek people... ).

 

There are plenty of recent cases in the news where dudes hacking systems (usually without permission) but without nefarious/malicious intent, have been arrested and charged.  For example, last months airline hack... http://thehackernews.com/2015/05/fbi-plane-hacking.html

 

What'd Ya Think?

Share this post


Link to post
Share on other sites

You aren't obligated to do work for them in advance of securing the contract.

Once you get the contract, that's a good time to provide them the information, either as an FYI as part of what you're doing, or as an upsell, if there are things you can do to add security to your solution.

Share this post


Link to post
Share on other sites

I would definitely tell them. Not sure what the laws are in the US but I haven't run in any trouble so far. It's not like your hacking their software plus it gives them an incentive to choose you now and in the future.

 

I found they can appreciate someone with proper knowledge of things, someone they can trust and build their business on. That's what you do as a freelancer after all, build relations.

Share this post


Link to post
Share on other sites

Great feedback gents!

 

I'll probably share some documentation identifying the problem code.  They can then pass that along to the vendor if they feel the hole is significant enough.  Up till now, I've been using the insight more for my education (as in what not to do) then a means to sell a service.  But in some instances, the hole was a security liability and should be fixed.

 

Any input is appreciated.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.