←back to thread

I hacked a dating app (and how not to treat a security researcher)

(alexschapiro.com)
561 points bearsyankees | 2 comments | 12 May 25 16:39 UTC | HN request time: 0s | source
Show context
SpaceL10n ◴[12 May 25 18:30 UTC] No.43966123[source]
I worry about my own liability sometimes as an engineer at a small company. So many businesses operate outside of regulated industries where PCI or HIPAA don't apply. For smaller organizations, security is just an engineering concern - not an organizational mandate. The product team is focused on the features, the PM is focused on the timeline, QA is focused on finding bugs, and it goes on and on, but rarely is there a voice of reason speaking about security. Engineers are expected to deliver tasks on the board and litte else. If the engineers can make the product secure without hurting the timeline, then great. If not, the engineers end up catching heat from the PM or whomever.

They'll say things like...

"Well, how long will that take?"

or, "What's really the risk of that happening?"

or, "We can secure it later, let's just get the MVP out to the customer now"

So, as an employee, I do what my employer asks of me. But, if somebody sues my employer because of some hack or data breach, am I going to be personally liable because I'm the only one who "should have known better"?

replies(7): >>43966138 #>>43966170 #>>43966356 #>>43966467 #>>43966741 #>>43966760 #>>43966875 #
1. kelnos ◴[12 May 25 18:54 UTC] No.43966356[source]
As much as I despise the "I was just following orders" defense, do make sure you get anything like that in writing: an email trail where you raise your concerns about the lack of security, with a response from a boss saying not to bother with it.

Not sure where you are located, but I don't know of any case where an individual rank-and-file employee has been held legally responsible for a data breach. (Hell, usually no one suffers any consequences for data breaches. At most the company suffers a token fine and they move on without caring.

replies(1): >>43966584 #
2. hnlmorg ◴[12 May 25 19:18 UTC] No.43966584[source]
> do make sure you get anything like that in writing: an email trail where you raise your concerns about the lack of security, with a response from a boss saying not to bother with it.

A few years ago I was put in the situation where I needed to do this and it created a major shitstorm.

“I’m not putting that in writing” they said.

However it did have the desired effect and they backed down.

You do need to be super comfortable with your position in the company to pull that stunt though. This was for a UK firm and I was managing a team of DevOps engineers. So I had quite a bit of respect in the wider company as well as stronger employment rights. I doubt I’d have pulled this stunt if I was a much more replaceable software engineer in an American startup. And particularly not in the current job climate.