from Hacker News

Ask HN: When to notify employer of security vulnerability?

by x0ry on 1/15/16, 9:26 PM with 4 comments

I stumbled upon a recent zero-day for Microsoft Silver Light (CVE-2016-0034 or KB3126036). Checking my work system, I can see it hasn't yet been patched. It's not my job to keep systems secure, I'm only a developer/analyst but ultimately I want to work my way into information systems security + do the right thing. What do you recommend is the best course of action? Do nothing? Wait? Report it immediately?

by facorreia on 1/15/16, 9:30 PM
It sounds as simple as sending an email to IT saying "it has come to my knowledge that there is this security vulnerability in the Silverlight version that we're using".
And then, probably, forget about it -- being too pushy about demanding an fast resolution may lose you the points that you'll gain by pointing out the issue.
by justsorneguy on 1/15/16, 9:32 PM
I would post to an online discussion, to obtain community feedback.
by shogun21 on 1/15/16, 9:30 PM
Report it immediately.