@fyjham said:Well, first off I'm going to assume he ran it on a dev system without real PIN's... if not legal action would probably be more likely than an elmo toy for attacking a PIN database of a bank..Even still, the first step should be going to the manager and going "I think there's a security hole in this, it could potentially comprimise all our pins. I can build a proof-of-concept if you like or I can work on fixing the issue?". If the manager asked you to go ahead with a proof and you build something that can crack the pin in 3 minutes (On the dev DB ofc) then the manager should go "Holy crap, good work, we need to fix this fast!" and a bonus would be more fitting than an elmo toy :POn the other hand building the whole exploit while something that fundamental is wrong without telling anyone then yes that is a WTF. A small unit test that sends like 20 fake pins and sees whether you're locked out or not sure, but the whole brute-force top to bottom definately shouldn't have been written. Especially since for your manager it changes from a "We closed a potential risk before it became a reality" to a "One of our developers managed to find a way to steal the pin of any user he wants so we fixed it" when he reports to management... and that's basically for him a "great news" to a "what the hell is wrong with you guys?" :P You are correct about the dev system, he was not working with real data.