I work in IT for a large company. My role is to help deploy a new document management system company wide. We started rolling out the system to the UK first.
Yesterday, I noticed that for whatever reason regular users had complete access to a special "admin control" button. I flipped because we keep both internal and external vendors in this system. This is bad because there's sensitive financial data on the system and this admin control button could allow anyone to basically go in, read, and change it. Mostly relating to payroll data and vendor contracts stating pay.
It's not my fault the button appeared (thank god), but our entire dev is based in the states (it was MLK day) and i'm on my own in the UK. I opened a critical ticket with our development tracking system which is SOP, but then to inform my support team i opened a critical ticket in our regular incident system used to report general issues through a standard support portal.
Well, doing the second ticket ended up getting a lot more people involved who don't participate with my team. A few big wigs got attached to some email chains and my bosses boss who has been out for MLK day got some nastygrams about why this wasn't fixed considering what was affected and how many users were impacted. I'm pretty sure this went all the way up to the C level suite looking at the names involved.
This issue affected about 500ish people and was considered a high priority with this outside team for my developers to get resolved.
I'm at a crossroads however, I have a gut feeling I should just own this and say that this bug was sloppy and exposed sensitive data. This issue exposed a lot of structural problems (no on call engineer, lapse in QA procedures, everyone checking out for a holiday). These need to be fixed if we are to provide this service to the degree of perfection needed to avoid getting outsourced.
However at the same time, i think I may have shot myself in the foot professionally by calling so much attention to this and embarrassing a lot of people in the process. We all work in a ton of different areas globally, but i get the impression i'm fucked for the future and will be skipped over for a promotion for my vigilance.
I'm leaning towards number 1 and just own it considering what was at stake. How would you guys roll on such an issue?
Yesterday, I noticed that for whatever reason regular users had complete access to a special "admin control" button. I flipped because we keep both internal and external vendors in this system. This is bad because there's sensitive financial data on the system and this admin control button could allow anyone to basically go in, read, and change it. Mostly relating to payroll data and vendor contracts stating pay.
It's not my fault the button appeared (thank god), but our entire dev is based in the states (it was MLK day) and i'm on my own in the UK. I opened a critical ticket with our development tracking system which is SOP, but then to inform my support team i opened a critical ticket in our regular incident system used to report general issues through a standard support portal.
Well, doing the second ticket ended up getting a lot more people involved who don't participate with my team. A few big wigs got attached to some email chains and my bosses boss who has been out for MLK day got some nastygrams about why this wasn't fixed considering what was affected and how many users were impacted. I'm pretty sure this went all the way up to the C level suite looking at the names involved.
This issue affected about 500ish people and was considered a high priority with this outside team for my developers to get resolved.
I'm at a crossroads however, I have a gut feeling I should just own this and say that this bug was sloppy and exposed sensitive data. This issue exposed a lot of structural problems (no on call engineer, lapse in QA procedures, everyone checking out for a holiday). These need to be fixed if we are to provide this service to the degree of perfection needed to avoid getting outsourced.
However at the same time, i think I may have shot myself in the foot professionally by calling so much attention to this and embarrassing a lot of people in the process. We all work in a ton of different areas globally, but i get the impression i'm fucked for the future and will be skipped over for a promotion for my vigilance.
I'm leaning towards number 1 and just own it considering what was at stake. How would you guys roll on such an issue?