38

While working on a project for my company, I needed to build functionality that allows users to import/export data to/from our competitor's site. While doing this, I discovered a very serious security exploit that could, in short, perform any script on the competitor's website.

My natural feeling is to report the issue to them in the spirit of good-will. Exploiting the issue to gain advantage crossed my mind, but I don't want to go down that path.

So my question is, would you report a serious vulnerability to your direct competition, in order to help them? Or would you keep your mouth shut? Is there a better way of going about this, perhaps to gain at least some advantage from the fact that I'm helping them by reporting the issue?

Update (Clarification):

Thanks for all your feedback so far, I appreciate it. Would your answers change if I were to add that the competition in question is a behemoth in the market (hundreds of employees in several continents), and my company only started a few weeks ago (three employees)? It goes without saying, they most definitely will not remember us, and if anything, only realize that their site needs work (which is why we entered this market in the first place).

This might be one of those moral vs. business toss-ups, but I appreciate all the advice.

user17610
  • 243
  • 3
  • 6
  • 4
    Depends on whether you're moral or amoral. – dietbuddha Feb 17 '11 at 21:53
  • 5
    Report it anonymously from a disposable email address from behind a proxy without any ties to your current workplace. – Job Feb 17 '11 at 22:59
  • 14
    Why does the size of the company have any bearing on what constitutes ethical behavior? – JohnFx Feb 17 '11 at 23:32
  • 6
    There's a little anecdote about a guy who tried to sell Pepsi some secrets from Coke...Pepsi called the cops on him. No matter how intense rivalries can be, competition should always be based on fair and ethical business practices. If you guys are better, you'll beat them regardless of how big or entrenched they are. It may not happen over night, but look at the browser wars. Slowly but surely alternatives are taking share away from IE even with IE preinstalled! – Chris Thompson Feb 18 '11 at 02:00
  • @JohnFx +1: spot on question sir! We could even use the same argument if the situation was reversed: "my company is a well-established and respected behemoth and theirs is only a small company which would likely fail sooner or later anyway." Regardless of the relative size of the companies, the ethics are the same. – bedwyr Feb 18 '11 at 05:18
  • @JohnFx: Maybe no impact on the ethics of the issue, but surely an impact on any advantages in terms of goodwill from the competitor. – user17610 Feb 18 '11 at 08:17
  • @user17610 Ethics is doing the right thing regardless of reward though, so advantages and recognition of some kind (goodwill from the competitor) should have no bearing on the decision. – Nilloc May 12 '13 at 18:32

14 Answers14

63

Though I'd love to live in a world where it would be perfectly safe to just drop them a note to let them know, I'd suggest involving your legal department first. Realistically, it's entirely possible that however well intentioned your bug report is, someone in the competitor's organization will interpret it as "our competitor just paid one of their employees to hack our site". That perception could create legal or PR issues for both you and your company. Involving your legal department in the notification should help shield everyone from the appearance of impropriety. Of course, that creates the possibility that the legal department concludes that notifying the competitor creates an unacceptable legal risk and tells you just to sit on the information. But that's much better than the alternative that it all blows up in your face.

웃웃웃웃웃
  • 131
  • 7
Justin Cave
  • 12,691
  • 3
  • 44
  • 53
  • In all likelihood they'll say to go with it - but they'll know the best approach to go about it without exposing you or your company to unwanted legal backdraft. – HorusKol Feb 18 '11 at 02:35
  • If legal department says no, I'd go with the anonymous email idea. And if they say yes, make sure your name is in there somewhere! – Benjol Feb 18 '11 at 08:46
  • 18
    Of course, finding a "legal department" in a company of three is going to be pretty difficult, I imagine :) – Benjol Feb 18 '11 at 08:49
  • @Benjol True, but you definitely need legal advice in these cases. Even if they can't possibly accuse you of hacking their site, they can still claim that your letter was threatening and you tried to blackmail them. – biziclop Feb 18 '11 at 15:12
  • 9
    It pains me to agree with this answer. It's a sad commentary on society when lawyers are needed for a code bug report. – jdl Feb 18 '11 at 18:07
  • I've upvoted this answer a while ago, but I think now it might not give the best advice. Remember, your employer's legal department is **not your** lawyer. They might just report you personally to the other company or make some sort of settlement that screws you up. They do not defend your interests. – K.Steff May 11 '13 at 21:17
30

This is going to sound awful (at least compared to most answers here) but, here goes my 2 cents :

Why should you do anything about it?

First thing's first, they already have employees who should be doing that sort of work (finding problems and fixing them).

Secondly, the way you formed your question makes it sound as if this is some kind of a moral dilemma. It's not. You did not do anything to cause that problem in the first place.

Thirdly, you are competing against them. You should be focused on making **YOUR product the best there is, not theirs.

If you're still in doubt, go back to my point no.2 and re-read it.

Jas
  • 6,254
  • 1
  • 31
  • 46
  • 9
    +1 for being realistic. Don't do anything illegal, sure. Immoral? In business, there is no moral or immoral. Company does not have such a thing as concept of morality. – Davor Ždralo Feb 17 '11 at 23:22
  • And if it gets discovered that you and/or your company sat on the knowledge of the exploit, you could be culpable. You'd certainly take a PR hit. Another thing to consider is - helping them fix an exploit isn't really going to affect their software's competitiveness. – HorusKol Feb 18 '11 at 02:34
  • @HorusKol - why would the outside company take the hit for sloppiness of the company "owning" the exploit? – Jas Feb 18 '11 at 08:23
  • 1
    If the exploit gets found out - they get to deflect the hit by pointing out that you knew about it but sat on it. On the other hand, if you get your press release out first (making sure not to publicly release details), you get to show up their sloppiness and take a +1 in for showing how much you're willing to help them out ;) – HorusKol Feb 18 '11 at 11:36
  • 3
    @HorusKol - the +1 isn't going to pay salaries and costs for the company. Offering a better product than your competitor however, might. – Jas Feb 18 '11 at 13:55
  • Good PR makes sales - sales = money - money = salaries... which bit confuses? – HorusKol Feb 18 '11 at 15:16
  • The reality bit is the confusing one, the rest is okay. – Jas Feb 18 '11 at 15:47
  • 4
    -1. This kind of thinking is a classic example of the Tragedy of the Commons. Security holes are everyone's problem. – Mason Wheeler Feb 18 '11 at 18:02
  • 6
    @Mason Wheeler: The tragedy of the commons is a dilemma arising from the situation in which multiple individuals, acting independently and rationally consulting their own self-interest, will ultimately deplete a shared limited resource even when it is clear that it is not in anyone's long-term interest for this to happen. I don't see how this is applicable here. – user17610 Feb 18 '11 at 18:25
  • 1
    @user17610: The shared resource in question is the security of the Internet. – Mason Wheeler Feb 18 '11 at 18:27
  • 3
    Frankly I am shocked that you would suggest not telling your competitor about their security bug. Why not file a bug report in the form of a press release or promotional email. Such bug report should note the absence of said bug in your product and the potential implications for users. – emory Apr 22 '12 at 07:35
  • @emory - It's fine if you want to do it, but like I said, I find it hardly immoral NOT TO, because in business, you're trying to be the one who makes the profit, not your opponent. Why should I care if I'm competing with Microsoft and it turns out Microsoft's product has a bug that mine does not ? It's all about survival of the fittest, right? – Jas Apr 23 '12 at 07:40
  • @Jas If I'm competing w/Microsoft and Microsoft's product has a bug (that the market would care about if they knew) then it is my competitive advantage. In that case, I have a fiduciary responsibility to my stakeholders to stick it to Microsoft. OTH if the market would not care I have no moral responsibility. – emory Apr 23 '12 at 07:45
  • 2
    @emory - Market care or not, why on Earth would a company be morally obliged to point out a competitor's defect that they did not contribute to in any possible way ?? – Jas Apr 23 '12 at 08:03
  • @Jas a company has a moral obligation to its shareholders. If pointing out a competitor's defect would result in greater profit (customers switch allegience to the bug-free product), then the company is morally obligated to do so. And they are obligated to do so in the way that profits shareholders the most - which is usually the way that harms the competitor the most. – emory Apr 23 '12 at 08:34
  • @Jas Ur point about *You should be focused on making **YOUR product the best there is, not theirs.* is spot on, but sometimes that means just reminding everyone how crappy the other guy's product is. – emory Apr 23 '12 at 08:39
  • Maybe because in this question, the OP's product *depends on the competitors' product*? That means that their security risk is now your security risk. – jpmc26 Aug 31 '15 at 23:05
22

There's a thin line between exploring vulnerabilities and industrial espionage, and since you are affiliated with your employer, the competitor can consider it the latter.

If you report it and there's a legal/PR nightmare, you'll be the scapegoat.

Talk to your legal department and let them handle it as they see fit - there's a reason they make way more than engineers.

Uri
  • 4,836
  • 1
  • 18
  • 23
20

An alternative mechanism, not yet suggested AFAICS, of getting the information to your competitor with no risk to your own company is to let one of the various vulnerability reporting companies know about the vulnerability - and ask them to report it to your competitor. They (the vulnerability reporting company) would keep your name out of the report - you'd be anonymous to your competitor. One such company is the Zero Day Initiative, ZDI - there are a number of others.

Jonathan Leffler
  • 1,846
  • 14
  • 21
11

Leak it to the media, anonymously of course, and then offer quick migration to customers of the competitor. This might seem like a low blow, but consider this, there is nothing illegal or unethical about what you are doing, further consider it is a dog eat dog world in SW and as David going against Goliath you are going to need all the leverage. Remember, it's not personal, it's strictly business. They would do the same to you in a heartbeat.

(FWIW I fully expect this answer to be down-voted, but that's OK because what I am saying is the truth albeit a harsh one.)

Gaurav
  • 3,729
  • 2
  • 25
  • 43
  • Seems good to me: you notify them and make a profit at the same time. However, there's the chance they get ticked off and start fishing for vulnerabilities in your site. – apoorv020 Feb 18 '11 at 05:43
  • @apoorv It will only mean you have become big enough to worry the Goliath :-). – Gaurav Feb 18 '11 at 05:48
  • I don't understand why use the words "leak" and "anonymously". The OP did not do anything wrong or immoral – emory Apr 22 '12 at 07:39
  • @apporv020 u should assume they (and a whole bunch of others) r constantly fishing ur site 4 vulnerabilities. – emory Apr 22 '12 at 07:39
  • Since it is a "behemoth" company in your market, something to consider is how your market's customers will react if the vulnerability is widely reported in the media. Would they respond with "If I can't trust my data with <> should I be doing this at all?" The answer to that can help to determine how public you want your vulnerability report to be. Your actions may affect perception of your market as a whole. – Zusukar May 21 '13 at 15:38
  • I want to +10, This sort of information calls for a strategic business meeting to discuss leveraging the situation, not a message of full disclosure to your competitor. – recursion.ninja Oct 05 '13 at 16:31
8

What would you like them to do if they found a security vulnerability in your software? That should be the first question you ask. If the answer is "I would really appreciate it if they told me", well, then you have your answer!

It doesn't matter that they are a giant company or a three person shop, and it doesn't matter that you are a three person shop or a giant company. As has been said, your reputation is everything, especially in this small community known as software.

Jesse McCulloch
  • 1,124
  • 1
  • 11
  • 13
  • 3
    Isn't doing the opposite of what the competition wants a normal business strategy? – user17610 Feb 17 '11 at 21:53
  • @user17610 - I guess that depends on the situation... can't make a blanket statement and make all your decisions by that. If your competition wants to make boatloads of money, are you going to do the opposite? – Jesse McCulloch Feb 17 '11 at 21:58
  • No, then I'll ensure that they don't make boatloads of money ;) – user17610 Feb 17 '11 at 22:01
  • 2
    +1 for "what would you like them to do if they found the vulnerability in your software?" – Craige Feb 18 '11 at 00:40
  • -1: I would like them to tell me, because subsequently accusing them of industrial espionage will help corrode their market share! Never assume benevolence in your competitor... – recursion.ninja Oct 05 '13 at 16:33
  • *What would you like them to do if they found a security vulnerability in your software?* Whenever someone finds a security vulnerability in my software, I *like* it when they also provide a fix. In addition to that, I would *like* it when they provide me with free cupcakes for a year and a box of new puppies (assorted colors). – sixtyfootersdude Oct 08 '13 at 17:12
  • @awashburn So, knowing that the best they're likely to get by telling you directly is a dollop of goodwill - and the worst is a vicious accusation of espionage - why would a competitor do it at all if *not* for benevolent reasons? A malevolent competitor gains only by sitting on it or leaking or exploiting it themselves, whether they uncovered it through espionage or accident, but you would happily turn around and bite someone who told you and thereby gave up benefiting materially from it? – shambulator Oct 08 '13 at 18:35
8

If you're importing/exporting data between their systems and your own, their security vulnerability could easily become your security vulnerability.

You'll want to cover your butt technologically and legally. Make sure it gets fixed but make sure your legal department has a hand in notifying them.

Ben L
  • 1,704
  • 13
  • 20
5

Obviously, let them know.

If "out of the goodness of your heart" isn't a good enough reason, consider that you are implementing this feature as a benefit for your own customers. You're indirectly protecting their data by reporting this bug.

jdl
  • 629
  • 3
  • 9
2

There's only one honorable choice. Tell them.

Eric King
  • 10,876
  • 3
  • 41
  • 55
0

In principle, I totally agree with what most here say: Step up and report it. There is a professional code of honour like out on sea: If a ship's in trouble, you help, no matter who it belongs to.

Reading your update, however, I'd probably decide against telling them because of the risk that the well-intentioned action might be taken the wrong way (as industrial espionage as @Uri says), and lead to hostilities that are much more dangerous to your three-man shop than they will ever be to them.

Maybe drop an anonymous note; maybe not do anything at all. If you're David, you don't have to tell Goliath that he's got a bee sitting on his back.

Pekka
  • 1,509
  • 13
  • 18
0

Personally I would tell them.

Other people have pointed out the possible PR/Legal issues, and if after talking to a layer or PR agent you are advised not to report it, I'D STILL REPORT IT, but anonymously.

It's doing your potential customers a favour, by helping protect their data.

Dominique McDonnell
  • 1,273
  • 11
  • 14
-1

Tell them! It is the right thing to do. Also, what would like them to do if you were in their spot?

You can't place value on the good will that could come out of this.

Rachel
  • 23,979
  • 16
  • 91
  • 159
KM.
  • 752
  • 7
  • 13
-1

Tell them. Then send your resume. They might be hiring. :)

Dynamic
  • 5,746
  • 9
  • 45
  • 73
davidhaskins
  • 2,158
  • 2
  • 18
  • 26
  • 18
    I'd prefer to not work for people who write such bad code that 15 minutes of inspection leads to the discovery of a serious vulnerability ;) – user17610 Feb 17 '11 at 22:07
  • @user17610: Okay, an adjusted variant: tell them and see if they fix it. If they don't fix it in reasonable time don't send your resume to them. – sharptooth Feb 18 '11 at 11:33
-1

Nature, despite its harsh sides, has its kind occasions. And acts them out without thinking twice.

Dog does not eat dog. Rather, bored people pay for illegal dog fights. And Lawyers collect the money. Including from your Boss. More than you want to now. They can happily drain startups without blinking.

Also very possible, someone at "competitor"'s already knows. Bringing the news can mean more responsibilities than being a simple passing messenger. Is that better than talking to walls ?

Security business: Lots of servers with big holes are online. this one server is another one. Full time job for some. Have you checked your own holes ? all of them ?

Watch your step.

Customers data is the important obsession.

  • 2
    Okay, I've read this post twice - and I'm *still* not sure which side of the debate it's supporting... :) – Cyclops Feb 18 '11 at 16:45