Security hole found on weekend, tech co-founder says he will fix it on Monday

So we just received an error message from our server that basically proves part of our website is open to SQL injections because of code written by developer A, who is also a co-founder. It’s the weekend.

After I pointed it out to him he said he will make it secure on monday …

This tells me he is not fit to be tech co-founder. This is not a 9-5 job for god’s sake. If a security hole that potenially puts client data at risk isn’t enough for you to drop what you are doing and take care of it, even if it is Sunday, then maybe you should go work for someone instead of playing start-up.

  • Was someone scanning your site? If so, the barn door is already open, the horse has probably left the stable.

    I agree that your co-founder should take responsibility. But, rather than threatening to fire him, perhaps you could use tihis as an opportunity to discuss your expectations with him and see if he agrees.

    There are a lot of reasons why it might be prudent to wait until Monday. For example, it might be difficult or complex to fix, and rushing it might make things worse. or, perhaps he has been working 80 hour weeks and is burnt out. Or he has a personal emergency. Or, there’s a more pressing problem that he’s working on that you are not aware of. Or, that it isn’t as bad of a sql injection as you think and is limited in scope because of other factors that will restrict the attack area. Etc..

  • The fact that you make a sweeping generalization of your co-founder based on one incident tells me that he would do best not to be in a business with you.

    • The fact that you’d make a sweeping generalization of a founder and his partner based on this limited information is disturbing.

      What this tells me is that he and his other founder are not communicating and setting expectations effectively. Nothing more, nothing less.

  • “This tells me he is not fit to be tech co-founder.”

    And how passive-aggressive are you? The fact that you made time to jump on here to post this instead of discussing with him tells us you’re not fit to be a co-founder either.

  • Guys, he’s jumping on here to ask advice, and this sort of thing gets emotional fast. I wish my co-founder did the same thing rofl. Free therapy.

    As a CTO veteran of 20+ years and countless security incidents, I agree there are lots of scenarios where a Monday is advisable. Heck, I didn’t much of this weekend dealing with shell shock and still have no idea about our PCs, cellphones, routers, printers etc.

    That said, if I were in his shoes, I’d have explained why. And if I were in your shoes, I’d have asked.

    • “That said, if I were in his shoes, I’d have explained why. And if I were in your shoes, I’d have asked.” +1 all the way, you know…communicate

  • Your perception of urgency does not match his. Get on the phone with him and explain to him that

    a) You told him about this today because you felt it was important.

    b) You are concerned that your perceived urgency of the situation does not match his.

    c) You expect that your technical co-founder will have an equal or greater sense of urgency about security issues.

    There’s no right answer to “should he have fixed this immediately?” The important thing is that you and he agree on what constitutes an urgent fix.

    Also, as a technical CEO, I can tell you that you should be more proactive in describing when you expect things done. If you identify a problem on a Friday night and expect your technical founder to fix it ASAP, make that clear. Don’t wait for him to say “I’ll do it Monday” then get shitty about it.

    You’re the leader. Call the shots and tell him what’s expected of him. If he pushes back, then you’ve identified a difference in perception and ethos, and that means you and he have to have an open conversation about how to get on the same page.

  • … [Trackback]

    […] There you can find 90537 more Information to that Topic: […]

  • … [Trackback]

    […] Find More Info here on that Topic: […]

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    You may also like