Post History

Source: https://writers.stackexchange.com/a/33258
License name: CC BY-SA 3.0
License URL: https://creativecommons.org/licenses/by-sa/3.0/

Source: https://writers.stackexchange.com/a/33258
License name: CC BY-SA 3.0
License URL: https://creativecommons.org/licenses/by-sa/3.0/

## Absolutely document them and point them out to management.

As Mark says, this is a business problem. As a coder myself with forty years of commercial experience, your problem is that almost any flaw can be exploited to the detriment and possible losses of your clients, such a password sent using GET.

Despite license agreements that disclaim any and all responsibility for such losses, lawsuits can still happen and may cost a fortune to defend and/or settle, and even worse, publicity if such a thing happens and it is clear your company knew of it can be devastating to your company's reputation, reliability, and **_sales._** If your company cannot be trusted, and you have any competitors at all, they will exploit such a flaw mercilessly.

Write your documentation; you can describe the flaw without calling it a flaw or mistake, it is just the way the product is done. Arrange it so management can excise it quickly if they don't want to let people know; that is their job, and not **every** design flaw is exploitable, as you note some are just stupidly and unnecessarily clumsy. (A good example of that is a phone system that requires the caller to identify themselves more than once, or enter an account number more than once.)

Write it up; as an addendum or final word on a feature, or whatever. Keep your copy of the documentation with that write up. Show it to your supervisor for a final decision, along with some form of the reasoning above. They can kick it upstairs or tell you to kill it, that is a business decision they have been tasked with making. Do not presume it is your role to make it for them; it lets them (rightfully) blame you for any fallout.

Original score: 10