Rob,
Unless there is imminent, significant danger to
individuals or
society that you can mitigate by "whistle blowing" then
you should
stay with your contractual obligations. To
publish a vulnerability
that the vendor is unlikely to fix, that
exposes many companies to
harm, and that would expose your employer to
legal action would be a
far greater wrong than you might otherwise be
able to fix.
If your employment agreement allows you to make a private
report to
the US-CERT about the vulnerability, then you should do
so.
Otherwise, if your employment agreement allows you to
relate the
problem privately, without naming companies involved, to
another,
then you can tell me about it when you return and I will
notify the
US-CERT and the vendor. Otherwise, you should
simply resign
yourself to the fact that business often works this
way.
I would make sure that you do what you can to ensure that what
you
found gets into any written report that goes to the client.
They
should be aware of your findings. Of course, what they do
with that
information is up to them. Same goes for your
employer -- make sure
you document it for them, at least as part of
your report and be sure
to brief your supervisor. You have
fulfilled your duty at that point
to your employer, and to your
client. The obligation then extends to
your employer to try to
get a fix in place, and that will remain even
after you return to
school.
Unfortunately, this situation is not uncommon in the "real
world."
In most cases, going public can only result in more
harm that it
fixes -- and in particular, it can cause you considerable
personal
harm. The only time you should consider going
against the system is
when you know someone is going to suffer greater
harm if you don't
immediately disclose the information. And even
then, you have to be
willing to take the consequences -- which may
include lawsuits and
establishing a reputation that some other
companies might find negative.
I hope that
helps!
--spaf