How to notify someone that their website is vulnerable to SQL injection?

Question

Update:
So, how did thing go?

We notified them of the existing problem, included background information, a detailed error report and tried to explain in plain human language what the problem was and why it is serious.

They thanked us, passed the information to their website developer who has since fixed it.
We are not quite sure of the quality of the fix, but there is nothing we can do about that and it is not our responsibility. (Although it does feel like our responsibility, even more so since we reported it).

However, the relationship has changed. They are less open and there responses far more reserved that before. We hope that this will change for the better in the future, but it sure feels like reporting the problem damaged the trust in this relationship.

So if you ever find yourself in the same position, be careful, take your time to explain the problem and be prepared for a less than optimal response.

Original question:
An affiliate partner of us has a website that is vulnerable to SQL-injection.

We noticed this by accident (typo in an URL triggered an enormously informative error page).

Now we do not know this affiliate partner very well. We started doing business with them just a week ago. They themselves have very little technical skills; their website is developed for them by a third company that 'does websites'.

Now it is obvious that we should warn them about the problem. But we are a bit worried that if we inform them about the problem they get scared and do not trust us any more (shoot the messenger to make the problem go away).

Have any of you ever been in this situation? what did you do?

An additional thing is:
Because the company that developed the website does not appear to do input validating/sanitizing at all, we do not have a lot of confidence in this company. While it is not our concern, we feel that we should warn our affiliate partner for the potential lack of security and quality in the rest of their system. This would put us sort of head-on with their developer, and we do not want to get involved a them vs us situation.

Should we notify them of our additional concerns? or do you advice to let it be?

Answer 1

Bring it up. If it destroys the relationship, better now than when your companies have a closer relationship, so that when they get hacked into next Sunday it hurts you too.

Answer 2

You tell them. Period.

Will they shoot the messenger? Maybe. But if they do then do you really want to be in business with them?

More pragmatically, if they ever had a problem with their website that cost them a lot of money due to such an attack and if it ever came out that you knew about it and did nothing you'd potentially have some liability issues.

Not only is it the right thing to do (to tell them) but you have a professional responsibility to do so.

Answer 3

Tell then ASAP. If they don't like it, they probably should not be your partner.

Answer 4

Ethically, I would say you can't just let it be. Your choices should be to notify them personally, or notify them anonymously. I send off emails all the time for things from security holes right down to broken links or images.

Answer 5

I think contact them and explain what a SQL Injection attack is and how to overcome it. and let them deal with the company that developed their website. It will show them that you are looking out for their best interest and I can't see them taking offence, honestly.

Good luck

Answer 6

I have been in this situation...and I would say be careful and very tactful.

In my own experience, it was a public web site to which I had no affiliation, and they were wary to the point that they became suspicious of my intentions of letting them know their site was vulnerable (to the extent that credit card info could have been exposed).

Answer 7

Notify them immediately, preferably consulting your corporate lawyers first. A panicked reaction could be a litigious one.

If you do this in an informative, friendlyand helpful manner they may actually look to you to help them solve it, so be prepared to have a response to that too. (Could be good or bad depending if you want hte work, or don't want the messy burden).

Answer 8

You could phrase it in such a way that your company requires all vendors and partners to provide proof that a security audit has been performed. The audit requirements could include a check for SQL injections and you could include an section in your "security requirements document" that links to several informative sites. If they don't respond or acknowledge then you've done your duty in making them aware of the possibility and that by ignoring the issue they've lost your business.

Answer 9

This is really similar to the ethical question of "If someone gets hit by a car, do you stop and help and risk getting sued or stand there and watch?"

I'd tell them, but instead of saying "I found a serious security vulnerability in your code", I'd say something like:

"Hey - We got an error message on your web site and I think it may have had some sensitive information in it. Could we take a look at this?" and then walk them through it, gently and carefully.

You do need to tell them, but not in a guns'a'blazin' way.

Answer 10

I'd share the concern with whomever is the face of your organization with the client. They should decide how to approach and deal with the client that they have the best understanding of.

Answer 11

Legaly change your name to "Bobby'; Drop Table Users;"

Then sign up for an account on their site. This should get their attention.

WARNING: The above text is a joke, do not attempt this at home.

Answer 12

Send them certified mail (trackable, indicates the issue is important and demands immediate attention, and the paper trail can be useful if they decide to bring problems via their lawyers):

Dear Sir,

Recently we became aware of a vulnerability in your website which may result in interruptions to our service, and possibly data loss or worse. As we depend on (insert product name here) for part of our services, we are interested in this issue being resolved quickly. As such, we recommend the following security services which we have successfully used on our own projects to verify immunity to the most common issues:

(list 2-3 good security auditing firms here)

We periodically request that all vendors submit to third party security testing as a normal course of business, however the urgency of this particular issue is such that we felt it important to alert you immediately.

We appreciate your prompt attention to this matter.

Sincerely,
(IT manager, xyz corp)

Don't specify the vulnerability. This will give them a reason to do a full security audit, rather than just sending your concern to the dev guy, fix that one thing, and then claim a clean bill of health. If they ask,

I'm sorry, for our own and your legal protection we aren't allowed to divulge particular details of any security issue to anyone except under NDA and mutual liability waiver. It is of a sufficiently simple nature that a competent security firm will resolve it.

If the product you're using is of a financial nature, then you can simply demand that they submit to a "seal of approval" type program from a major auditing firm (verisign, for instance) and discontinue service without that security audit seal.