Yes, fun story.<p>In the early 2000's, I was working at a company that implemented the ecommerce website of a large electronics company. This company decided to start up a new add-on business targeting users of one of there existing product lines. I was tasked with doing the cart checkout process on the new site. One of my tasks was to handle the scenarios where a customer was checking out as a guest, an existing user logging in during the checkout process, and creating a new user account during the checkout process. I was told to implement the flow on the new site <i>exactly</i> the same as the existing site.<p>In the process of doing so, I discovered a <i>MAJOR</i> security hole in the existing site. Specifically, if you were going through new account creation, and you entered in the email address of an existing user, the system would automatically log you in as that user. This was even semi-documented in the comments as "we assume the user forgot they have an existing account". I raised this up to my superiors who didn't grasp the severity of the problem and instead ordered me to reproduce the behavior <i>EXACTLY</i>. So we implemented it and pushed it out like that. I was straight out of college and wasn't comfortable at the time of going over my bosses heads and talking directly to the client.<p>Three months down the road and everything is implemented and the client is happy. They were onsite with us for a visit and I was walking somebody through testing some new enhancement. We needed to switch to a different test user account and they were looking through their notes for the password and I was like "No need, we can just use the forgotten account login." They thought I was talking about resetting the password through email, so I showed them how the system worked and their jaws just dropped. Well let's just say at that point the issue got escalated super rapidly. I got majorly crapped on by both the client and our management (since I hadn't had the forethought to document my boss's rejection of the bug).<p>I've run into the same situation since then, where management refuses some bug they don't deem significant. But now I'm a lot more diligent of documenting those decisions in email and other means. :)
Yes, right now. It was deemed as not important enough (by me and others on the team) as the user base it affected never used the functionality that was broken for them anyway and the users who <i>did</i> use this functionality were not affected by the issue at all. Now we are doing some changes to our overall environment setup and suddenly this same bug is going to affect <i>all</i> users who currently rely on the functionality.
Bugs, no. Bad/smelly code: yes, all the time. That's what separates senior from junior devs: over the years you'll learn it'll come back to haunt you eventually, so better to deal with it earlier than later.