Question 10

We understand you don't know anything about our internal procedures at this stage, but we want you to explain at a high level how you'd react to this situation: You receive a report of a severe security issue on www.netlify.com. You can't immediately confirm, so what steps might you take to investigate or substantiate the report? What might you say to the reporter, even though we haven't confirmed their assertion yet, that will still leave the true impression that our business is very concerned about security? You believe there is a reasonable chance the report is correct and the problem is very large and impactful. How might you escalate?

The first thing to do is make sure the vulnerability is kept private so that it cannot be exploited by bad actors. I would reply to the reporter explaining how this is something Netlify is escalating to make sure it gets fixed and we would like them to keep it private until we confirm the issue has been resolved. The next step would be to contact the correct department of the report and give as much information to help the investigation proceed successfully. Of course, I would notify my direct report for input given the potential significance of the issue.