A couple years ago, I called a "fire" (every drops what they're doing to fix a major issue) because I found a completely unsecured API endpoint that served names, emails, home addresses, and SSNs using sequential IDs. It was fixed in less than a day after I reported it, but I couldn't believe it had been allowed to exist.
Somewhere else, all of engineering shared 1 set of credentials for the Jenkins server, which was accessible via the internet. After I no longer worked there it struck me that not only could I have deleted build configuration for the entire company, they wouldn't be able to find out who did it.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
A couple years ago, I called a "fire" (every drops what they're doing to fix a major issue) because I found a completely unsecured API endpoint that served names, emails, home addresses, and SSNs using sequential IDs. It was fixed in less than a day after I reported it, but I couldn't believe it had been allowed to exist.
Somewhere else, all of engineering shared 1 set of credentials for the Jenkins server, which was accessible via the internet. After I no longer worked there it struck me that not only could I have deleted build configuration for the entire company, they wouldn't be able to find out who did it.