38

While working on a project for my company, I needed to build functionality that allows users to import/export data to/from our competitor's site. While doing this, I discovered a very serious security exploit that could, in short, perform any script on the competitor's website.

My natural feeling is to report the issue to them in the spirit of good-will. Exploiting the issue to gain advantage crossed my mind, but I don't want to go down that path.

So my question is, would you report a serious vulnerability to your direct competition, in order to help them? Or would you keep your mouth shut? Is there a better way of going about this, perhaps to gain at least some advantage from the fact that I'm helping them by reporting the issue?

Update (Clarification):

Thanks for all your feedback so far, I appreciate it. Would your answers change if I were to add that the competition in question is a behemoth in the market (hundreds of employees in several continents), and my company only started a few weeks ago (three employees)? It goes without saying, they most definitely will not remember us, and if anything, only realize that their site needs work (which is why we entered this market in the first place).

This might be one of those moral vs. business toss-ups, but I appreciate all the advice.

user17610
  • 243

14 Answers14

62

Though I'd love to live in a world where it would be perfectly safe to just drop them a note to let them know, I'd suggest involving your legal department first. Realistically, it's entirely possible that however well intentioned your bug report is, someone in the competitor's organization will interpret it as "our competitor just paid one of their employees to hack our site". That perception could create legal or PR issues for both you and your company. Involving your legal department in the notification should help shield everyone from the appearance of impropriety. Of course, that creates the possibility that the legal department concludes that notifying the competitor creates an unacceptable legal risk and tells you just to sit on the information. But that's much better than the alternative that it all blows up in your face.

웃웃웃웃웃
  • 131
Justin Cave
  • 12,811
30

This is going to sound awful (at least compared to most answers here) but, here goes my 2 cents :

Why should you do anything about it?

First thing's first, they already have employees who should be doing that sort of work (finding problems and fixing them).

Secondly, the way you formed your question makes it sound as if this is some kind of a moral dilemma. It's not. You did not do anything to cause that problem in the first place.

Thirdly, you are competing against them. You should be focused on making **YOUR product the best there is, not theirs.

If you're still in doubt, go back to my point no.2 and re-read it.

Jas
  • 6,313
22

There's a thin line between exploring vulnerabilities and industrial espionage, and since you are affiliated with your employer, the competitor can consider it the latter.

If you report it and there's a legal/PR nightmare, you'll be the scapegoat.

Talk to your legal department and let them handle it as they see fit - there's a reason they make way more than engineers.

Uri
  • 4,856
20

An alternative mechanism, not yet suggested AFAICS, of getting the information to your competitor with no risk to your own company is to let one of the various vulnerability reporting companies know about the vulnerability - and ask them to report it to your competitor. They (the vulnerability reporting company) would keep your name out of the report - you'd be anonymous to your competitor. One such company is the Zero Day Initiative, ZDI - there are a number of others.

Jonathan Leffler
  • 1,878
11

Leak it to the media, anonymously of course, and then offer quick migration to customers of the competitor. This might seem like a low blow, but consider this, there is nothing illegal or unethical about what you are doing, further consider it is a dog eat dog world in SW and as David going against Goliath you are going to need all the leverage. Remember, it's not personal, it's strictly business. They would do the same to you in a heartbeat.

(FWIW I fully expect this answer to be down-voted, but that's OK because what I am saying is the truth albeit a harsh one.)

Gaurav
  • 3,739
8

What would you like them to do if they found a security vulnerability in your software? That should be the first question you ask. If the answer is "I would really appreciate it if they told me", well, then you have your answer!

It doesn't matter that they are a giant company or a three person shop, and it doesn't matter that you are a three person shop or a giant company. As has been said, your reputation is everything, especially in this small community known as software.

Jesse McCulloch
  • 1,124
8

If you're importing/exporting data between their systems and your own, their security vulnerability could easily become your security vulnerability.

You'll want to cover your butt technologically and legally. Make sure it gets fixed but make sure your legal department has a hand in notifying them.

Ben L
  • 1,704
5

Obviously, let them know.

If "out of the goodness of your heart" isn't a good enough reason, consider that you are implementing this feature as a benefit for your own customers. You're indirectly protecting their data by reporting this bug.

jdl
  • 629
2

There's only one honorable choice. Tell them.

Eric King
  • 11,008
0

In principle, I totally agree with what most here say: Step up and report it. There is a professional code of honour like out on sea: If a ship's in trouble, you help, no matter who it belongs to.

Reading your update, however, I'd probably decide against telling them because of the risk that the well-intentioned action might be taken the wrong way (as industrial espionage as @Uri says), and lead to hostilities that are much more dangerous to your three-man shop than they will ever be to them.

Maybe drop an anonymous note; maybe not do anything at all. If you're David, you don't have to tell Goliath that he's got a bee sitting on his back.

Pekka
  • 1,509
0

Personally I would tell them.

Other people have pointed out the possible PR/Legal issues, and if after talking to a layer or PR agent you are advised not to report it, I'D STILL REPORT IT, but anonymously.

It's doing your potential customers a favour, by helping protect their data.

Dominique McDonnell
  • 1,293
-1

Tell them! It is the right thing to do. Also, what would like them to do if you were in their spot?

You can't place value on the good will that could come out of this.

Rachel
  • 24,037
KM.
  • 752
-1

Tell them. Then send your resume. They might be hiring. :)

Dynamic
  • 5,786
davidhaskins
  • 2,168
-1

Nature, despite its harsh sides, has its kind occasions. And acts them out without thinking twice.

Dog does not eat dog. Rather, bored people pay for illegal dog fights. And Lawyers collect the money. Including from your Boss. More than you want to now. They can happily drain startups without blinking.

Also very possible, someone at "competitor"'s already knows. Bringing the news can mean more responsibilities than being a simple passing messenger. Is that better than talking to walls ?

Security business: Lots of servers with big holes are online. this one server is another one. Full time job for some. Have you checked your own holes ? all of them ?

Watch your step.

Customers data is the important obsession.