I read that post as him talking about their company, in the sense of the company they were working for. If that was the case, then an exploit of an unfixed security issue could very much affect them either just as part of the company if the fallout is enough to massively harm business, or specifically if they had not properly documented their concerns so “we didn't know” could be the excuse from above and they could be blamed for not adequately communicating the problem.
For an external company “not your company, not your problem” for security issues is not a good moral position IMO. “I can't risk the fallout in my direction that I'm pretty sure will result from this” is more understandable because of how often you see whistle-blowers getting black-listed, but I'd still have a major battle with the pernickety prick that is my conscience¹ and it would likely win out in the end.
[1] oh, the things I could do if it wasn't for conscience and empathy :)
No i mean, 'a company you own'. At the end of the day you're just a worker getting paid to produce output. cross your I's and dot your T's and whatever else and then clock out.
Their websites says they're a freelance cloud architect.
The article doesn't say exactly, but if they used their company e-mail account to send the e-mail it's difficult to argue it wasn't related to their business.
They also put "I am offering" language in their e-mail which I'm sure triggered the lawyers into interpreting this a different way. Not a choice of words I would recommend using in a case like this.
This is a good point. I think we get a couple of emails a week for exactly this kind of bottom feeder 'consulting firm' 'offering' to tell us all about some massive security issue they found, as long as we sign up for a 'consulting engagement'[1]. On the other hand, we generally ignore them, not threaten to sue them.
[1] We get about as many 'pay us a bounty or we'll tell the world about this horrid vulnerability we found'. I have suggested to legal we treat those like extortion attempts to make them go away and stop wasting our time but legal doesn't want to spend time on it.
dspillett|9 days ago
For an external company “not your company, not your problem” for security issues is not a good moral position IMO. “I can't risk the fallout in my direction that I'm pretty sure will result from this” is more understandable because of how often you see whistle-blowers getting black-listed, but I'd still have a major battle with the pernickety prick that is my conscience¹ and it would likely win out in the end.
[1] oh, the things I could do if it wasn't for conscience and empathy :)
calvinmorrison|8 days ago
Aurornis|9 days ago
The article doesn't say exactly, but if they used their company e-mail account to send the e-mail it's difficult to argue it wasn't related to their business.
They also put "I am offering" language in their e-mail which I'm sure triggered the lawyers into interpreting this a different way. Not a choice of words I would recommend using in a case like this.
kjs3|8 days ago
[1] We get about as many 'pay us a bounty or we'll tell the world about this horrid vulnerability we found'. I have suggested to legal we treat those like extortion attempts to make them go away and stop wasting our time but legal doesn't want to spend time on it.