My CIO made a zip from our production DB and put it on our server on a public url (without password). He had a (bad) reason but it doesn't matter.<p>What should I do ? Warn his superior ? Shut my mouth and hope someone doesn't notice it ?<p>I feel like this is a terrible mistake that could cost my CIO his job (and maybe worse if the CNIL is warned or if someone steal the zip).
report it. your neglegence of not doing so will cost you yours one day. that is, if he doesn't do it himself. proper would be for him to report it himself. if he's not professional about a mistake, then you might consider a career path in being the new janitor?
don't feel guilty about this kind of things. people need to own their mistakes. next think you know someone hiding their mistakes will point to you , the responsible kind, to blame.<p>don't let your goodness for other bring you in a situation that leaves you helpless. seen happen many times some superior got found out of some derping and they shift the blame downward. even if the ppl below already knew of these things and perhaps helped them hide it out of the good of their heart or care for this person. since they were with that part of the problem, it was easy for them to point fingers downwards... and it's always easier to point a finger than man up at fear risk losing your own job so that option is what a lot of ppl take...
Please don’t do the “explain it privately 1:1” thing. I know it sounds like a good idea, and I’ve done it so many times, but it’s going to back fire and I’ve never seen it work. Really I’ve never seen it work.<p>Leak it to some outside source. The local media station, anyone with “security researcher” in their name on Twitter, whatever.<p>Please feel free to email me too. Check my profile. I can give you stories from previous situations I’ve been in.
> worse if the CNIL is warned or if someone steal the zip<p>This is the reason why you should report it immediately. It is no longer about your relationship with the CIO. At this point the company itself is at risk and that takes priority.<p>Depending on whether you can tell for sure if anyone downloaded the ZIP the company might still be required to raise this with the CNIL.
I would say it depends on the context, is it a mistake, like a misclick or a script with a wrong URL, or is it a deliberate actions after your warned him ?<p>It is not quite clear either if the db is still there and it will stay there on purpose, or has it be removed ?