Ask HN: When to notify employer of security vulnerability?
I stumbled upon a recent zero-day for Microsoft Silver Light (CVE-2016-0034 or KB3126036). Checking my work system, I can see it hasn't yet been patched. It's not my job to keep systems secure, I'm only a developer/analyst but ultimately I want to work my way into information systems security + do the right thing. What do you recommend is the best course of action? Do nothing? Wait? Report it immediately? It sounds as simple as sending an email to IT saying "it has come to my knowledge that there is this security vulnerability in the Silverlight version that we're using". And then, probably, forget about it -- being too pushy about demanding an fast resolution may lose you the points that you'll gain by pointing out the issue. I would post to an online discussion, to obtain community feedback. Are you saying like on an internal company blog or something? Report it immediately.