Security-Closing The Holes While Gagged?

This, wisely anonymous, Anonymous Coward asks: "I am a paid participant of a survey, and as part of my participation I am not allowed to disclose my role in the survey to anyone. This is stated in the documentation though I haven't agreed to any NDA or contract that specifically says so. As part of the survey, users install client software, which I have found to contain a rather significant security hole. I have explained the hole in detail to the company doing the survey, though they haven't responded or updated the client software. I would like to expose the fault publicly to put pressure on them to fix it, though I fear that doing such would constitute a breach of confidentiality for which I would be liable, despite the lack of an NDA."

Be Careful

[Royster]

There may be an implicit contract by virtue of the fact that you are being paid for the survey. For there to be a contract, there needs to be consideration, an agreement and indication of acceptance. You may already have implicitly agreed to abide whatever they have put in their documentation by your actions in filling out a survey, say. Ask yourself this, if they were to try to deny paying you, would you feel that they were obligated to based on what you've already done? If so, you are probably obligated not to disclose what you know.

A truly conscientious stand would be to refuse your pay. Are you willing to do that?

send it to me at eWEEK

[Timothy+Dyck]

We will publish this if we can repo it and it will affect enough people -- and we will keep your identity anonymous. You can even e-mail me anonymously if you want to go though a remailer (e.g. http://anon.xg.nu or https://www.privacyx.com).

Regards,
Tim Dyck
Technical Director, eWEEK Labs
timothy_dyck@ziffdavis.com