Biz & IT —

Are you obligated to point out security flaws if you’re just hired for a small job?

You don't want to throw an employee under the bus, but security holes should be fixed.

Are you obligated to point out security flaws if you’re just hired for a small job?
Stack Exchange
This Q&A is part of a weekly series of posts highlighting common questions encountered by technophiles and answered by users at Stack Exchange, a free, community-powered network of 100+ Q&A sites.

Dokkat was contracted to do a small job on a website for a large corporation. After giving the project a once over, he realized the code base was full of security risks: "Lots of PHP files throwing user get/post input directly into mysql requests and system commands." Dokkat says the programmer responsible has a family and children, and he doesn't want to be the one to put this employee's job in jeopardy. How should he proceed without throwing someone under the bus?

See the original question here.

Educate rather than confront

Eric Hydrick Answers (98 votes):

First and foremost here, the priority is to close the security holes.

If you're working directly with the engineer who wrote this, document everything and give it to that engineer.

If not, tell your employer the security issues are bigger than initially thought and that the site needs a lot of work. Ask to work with the main developer who's on the site and offer to teach them about PHP security (don't promise to make the person an expert) so that person can take over after you're done.

Don't make this a "this guy is bad, fire him" issue. Approach it from the perspective of, "Hey, I found some potential bugs that need fixing stat, which seem to be coming from some common misconceptions about site security. I'd also like to talk to your developer so we can improve your site and hopefully avoid more of these issues in the future."

Related: "What to do if you find a vulnerability in a competitor's site?"

A teachable moment

Karl Bielefeldt Answers (64 votes):

There's a difference between ignorance and incompetence. There was a time when you didn't know what SQL injection was either, and there's no reason to believe the original programmer isn't capable of fixing the problems once he is made aware of them.

So tell them. Be specific and objective, and make yourself available to answer questions, provide examples of exploits, and give recommendations for fixes. If they still don't get it after that point, the most you can really do is not put any of your own personal information on the site.

Just do your job, but mention the problem

Dave Rager Answers (16 votes):

Your job isn't to redo the site for him. It's to fix the small bug. However, if you've noticed security issues that should be fixed you can bring it up with the site owner and offer insight on what the problem might be.

Don't berate or talk negatively about the original developer or comment on how horrible the code is. Be respectful and professional. You can offer to work with the developer to resolve the issues. Don't try to fix it yourself or offer a solution unless you've been contracted to address the problem. If they follow your advice and you're wrong, they could come back on you.

Find more answers or leave your own at the original post. See more Q&A like this at Programmers, a site for conceptual programming questions at Stack Exchange. And of course, feel free to login and ask your own.

Channel Ars Technica