I rarely use devrant for such things but I'm curious as to the response. I've found several quite serious security vulnerabilities in our main application which have been raised internally yet management keep coming out with "we don't have budget to fix them" what should I do in this situation? How would you handle it?

Hire privatly a russian hacker on the darknet, take your company hostage. Share the ransom with your hacker. 😁

Nah no idea. If management is dumb enough to tolerate this state, make shure they are held responsible for this if anything happens.

Seriously you have to get something in writing from/to a higher up stating that the security concerns have been documented and brought to their attention and you are awaiting further instruction. signed/dated and distributed. This will be your cover when the shit hits the fan and when they will climb down the tree to administer blame.

@helloworld I'm going to add talk to a lawyer. That way if something does happen against you, fired for whistleblowing or the system gets hacked and used to send illegal spam, you have someone on your side.

Just explain it to him in a way he won't understand to make him feel small.

@heyheni I fantasise about that everyday. Not because I want the ransom, nor because I'm evil (though I am), but just so I can prove to some people that having a `is_admin` flag on a user model and checking if that flag is true on every endpoint is not security.

Thank you all for the advice, I am going to proof of concept an attack and show them just how far I can get. And I am well covered in the paper trail department ;)