Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

SWE in security here. Why the heck would I "whistleblow" in a scenario where a vulnerability was internally found, unused, reported to legal, and fixed? That is part of any healthy SDLC.

The EU is implying that it is illegal to accidentally write vulnerable code. Pure insanity, nearly every software company would go out of business overnight if this was a stance they actually enforced.



“nearly every software company would go out of business overnight if this was a stance they actually enforced”

For the better, if your attitude is the “healthy SDLC”.


I'm sure we've literally never written a vulnerable line of code in our lives, right?

Security reviews are part of a healthy SDLC. You catch vulnerabilities as part of security reviews as they would be totally unnecessary if people simply wrote perfect code to begin with.


Ideally because the law requires reporting vulnerabilities, and includes criminal penalties for those who knowingly hide vulnerabilities.


When I worked in tech, we reported the vulnerabilities internally and pass them off to legal. Taking that to the government was legal's job.

I am not gonna go out of my way to "whistleblow on vulnerabilities to the EU" after I have done my job and reported everything to legal.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: