tl;dr: hacked into potential employers web app, gained access to client details. can't decide whether to tell them or keep quite. help!<p>I recently interviewed at a company for product engineer position.
I got a decent offer from them, but for some personal reasons I could not accept it.<p>Before going in for the interview.. I did a little bit of research on their company and found a few security flaws in their web app through which I was able to get access to most of their client details as well.
now, I'm confused whether to help them out with the issue or to keep it low considering there are chances of it backfiring on me (though I had a good time during the interview process and a healthy conversation with the people there)<p>what would you do?
I don't think you have anything to gain from telling them and potentially much to lose.<p>All it takes is an obtuse manager or a lawyer wanting to cover the company's back (they could be required by law or by contract to disclose any successful penetration) or just a prosecutor eager for another notch on the belt.<p>Perhaps those are extreme cases but I wouldn't take the chance if I were you.
Let them know privately, then forget about it.
(Forgetting about it includes deleting your copy of the client data.)
You declined the offer, so its not your problem.
However, as a good netizen, you can gain some good karma by letting them (and only them) know about it. Who knows, your good deed may open up opportunities down the road.
You may want to read this article
<a href="https://techcrunch.com/2016/09/20/hacking-for-investor-profit/" rel="nofollow">https://techcrunch.com/2016/09/20/hacking-for-investor-profi...</a>