I posted awhile ago telling the David and Goliath tale of Kashflow and Sage. Sage being the big boy of UK accounting software and Kashflow being a poor defenceless SaaS start-up being hounded to death by the behemoth.
At the time I wrote that I thought Sage’s actions were unnecessary and unhelpful, a contention I still hold. But sometimes there’s another side to the story…
Before I go on I need to point out that this post is not meant to judge either party. Duane from KashFlow is a smart and passionate CEO who I have a whole heap of time for. Sage meanwhile demands respect for their sheer market size.
Recently the KashFlow blog had a post outing some potential security concerns for the new SageLive SaaS product. The substance of the claims are not overly important – I did some research myself, communicated my findings to Clive Gray the head of SageLive and the site was taken down instantly to address the concerns – just the actions one would expect from a reactive and concerned beta software product. (Clarification – Others, including the inimitable Dennis Howlett, also communicated with Sage about the issues – I don’t want to claim all the credit for what happened – it was a team effort 
)
But in publicly outing the issue, without (it would seem) beforehand communicating the concerns to Sage, I believe Duane damaged not only Sage’s reputation, but the industry as a whole. I believe that we all have an obligation to give vendors the opportunity to “right wrongs” before publicising those wrongs. Sure if the vendor ignores the warnings we have carte blanche to tell the tale far and wide, but to do so without informing the vendor is poor form.
It’s also a little unfair on users. If one finds something that does in fact constitute a risk for end-users it increases the moral obligation on the findee to ensure the problem is fixed before declaring it to the world – it’s hard to claim the moral high ground, concerned for the security and privacy of users, if in the same post you tell the world how to find the holes you discovered.
Thoughts?
I have to agree with you, Ben – we at CODA have gone to great lengths over the last few days to be balanced in our comments to press and others. We have pointed out very clearly that whilst the apparent security issues were surprising, this is just a beta and that is the point of beta testing – to flush out issues before you’ve got live customers.
We would agree that the proper course of events would be to alert the vendor first to issues before going public. I don’t think trumpeting security issues does the cause of SaaS accounting any good at all – and that’s bad for all of us…