So here’s the situation. I’m a developer for a vendor that sells products that are intended to be used on customers intranets. Never open to the internet. Customers are generally responsible for their own network security here.
We sell this to many customers and they get the version that’s hot at the time, and might possibly upgrade every year or two… If we’re lucky. Some of our customers are running really old versions and they are fine with it (sql server 2005? nothing wrong with it!). We try to push the upgrades, but it’s a sometimes costly endeavour if it involves third-party integration changes, and customers are cheap sometimes.
I recently discovered a really bad security issue that’s been around literally forever. Like, really bad. I did a proof of attack, showed it to my managers, got it fixed, in the latest version to be released.
But what about all the customers who don’t have this version, and the ones who will likely never bother to upgrade- Are we legally required to divulge this kind of known issue? Would we be legally forced to back-port and patch every customers system if they demanded it?
Again, I’m a developer. I informed my manager and our security lead. I am just curious how this should play out for our customers, if done properly.
submitted by /u/ilikeladycakes
[link] [comments]