Being able to find a flaw in a system isn't going to win you any friends - depending on your intent you may or may not profit from it - but the developers won't appreciate being told they screwed up and a project manager somewhere is quietly weeping over their previously impeccable Gantt chart1.
One of my clients asked me if they could get one system to "integrate" with another by automatically logging on for the user. Aside from the usual question marks about stored credentials I did point out that unless there's a central authentication model (such as OAuth) it would not be advisable. Nevertheless I completed due diligence. In the process of doing the impact assessement I ended up doing a lightweight mini pentest after finding some interesting behaviour.
In this situation I'd normally contact the vendor and let them know about some areas for improvement and say nothing to anyone else but before I started the client specifically asked me not to contact the vendor of the system for any reason. Politcs aside they're clearly intending to replace the system and do not want to engage the vendor in the process.
Reading the papers yesterday puts the issue list in perspective - none of the issues I found are particulary serious but it does affect an HR system (and therefore real people data).
I could provide the information to the client and let them decide whether or not to disclose to the vendor but the problem here, again, is politics. They could also use it as a bargaining chip to either better the price or cut loose of a contract without giving the vendor a fair chance.
Knowing the client as well as I do they probably wouldn't expand the budget for upgrades so the vendors natural patch path has a chance to resolve some of these issues. To me this isn't an ethical approach because you're putting the power of blame essentially out in the open, which defies the point of responsible disclosure.
At some point the contract I have with the client will end but siding with the client vs. the vendor should have nothing to do with the financial incentives - Only bug bounties are the exception to this ethic.
I spent some time thinking about it and decided to get in touch with the vendor, against my clients wishes. I need not divuldge the detail of the political situation and only the tech detail.
Is that the right thing to do? What would you do?
1: No plan survives first iteration. Ok, ok, ok this could be a burndown chart but it seems most environments say "agile" but make it synonomous with "waterfall". Or Wagile™.
