An anonymous reader writes: I'm a new hire (not even out of college) for a company that uses a customized, publicly accessible, search page to search a proprietary database for information that concerns our products. The search page and database are hosted and developed by a third-party company that offers access to this proprietary information/service for a fee, and my company is one of the biggest clients. The search page is really counter-intuitive, so I (having a background in web development) was tasked with figuring out how to make it easier for people to use (without asking the third-party company to redesign it; i.e. using things like GreaseMonkey, etc). I quickly determined (just by looking at the GET URLs, the HTML source, visual inspection) that it was obviously coded by someone who had limited or no experience with web-based coding. While poking around, I discovered several ways to easily improve the search from our end — but I accidentally stumbled on some sensitive material. Namely that, due to a lack of error handling and those helpful messages PHP displays giving you the path to the otherwise hidden includes (not to mention no protection against SQL injection, and lots of other major and minor security holes), I am able to get into the PHP source code of the search system, and get admin-level access to restricted areas. It wasn't my intention to do this, but now I am worried that both myself and my company could be legally liable for breaching the third-party company's system. Who I should tell, or should I tell anyone? But when that company looks through their server logs and sees my company's IP.... I just don't know what to do. Help me Slashdot.