Tell them about any issues you see, and include an estimate of the hours involved to fix them. Put it in writing, and you've put the ball in their court. They can't hold you liable for their own failure to pay attention to your warnings Let me add that if I could fix many of these problems in 15 minutes or less, then I would, just as a matter of personal pride in my work.
Tell them about any issues you see, and include an estimate of the hours involved to fix them. Put it in writing, and you've put the ball in their court. They can't hold you liable for their own failure to pay attention to your warnings.
Let me add that if I could fix many of these problems in 15 minutes or less, then I would, just as a matter of personal pride in my work.
3 +1 documentation of issue is your friend, I would assume (I might be wrong) that by voicing the concerns to them you would then not be liable as you brought up the problem early. – Jakub Dec 18 '09 at 19:01 +1 but even if you CAN fix them in 15 minutes you need to tell them about them and depending on how much control you have over the project as a whole either tell them that you have already fixed them or ask if you can fix them and say that it's included in your previous quote as it's so easy to fix... – Len Holgate Dec 18 '09 at 21:26.
When taking over a new project I would make it very clear to the client that I am not liable for errors in the original source unless they also wanted to pay me for my time to do a full code review. To protect yourself, make sure you keep a copy of the original code as you got it.
3 +1: Use some sort of source control to be able to demonstrate what you changed. – OMG Ponies Dec 18 '09 at 19:07 Good one! – Andrei Rinea Dec 8 '10 at 10:36.
You make sure you have a copy of the original code, and use a good source control system, so that if questions arise, you can illustrate clearly that this isn't code that you wrote, but that was present before you started. How do you do right by the client in this situation? You ask the client up-front what kind of analysis they'd like you to do: Potential code improvements, security fixes, etc. Think of categories you can give them to give a good picture of what you'll be reviewing and what kinds of things you could potentially find.
Why up-front? Because otherwise you'll get car mechanic syndrome, where you take in your car, and the mechanic says "Oh, by the way, we found this problem over here" and you feel uneasy because you're not sure if it's real or not. But if you ask the mechanic to give it a good going-over everywhere, at least you'll feel more comfortable with it if he finds something.
Likewise, if you get the up-front OK to look for stuff like this, then you can make a list and show them the code and illustrate the problems, and you look like a professional doing analysis rather than a slimy mechanic trying to make an extra buck for questionable work.
I can't answer from a legal perspective; that'll depend on the written and case law in your jurisdiction. From an ethical one, though, the least you should do is identify the flaws and their potential impact to your clients. Give them an idea of what could happen if those vulnerabilities were exploited.
When I freelance, I do the work I'm paid/asked to do and advise on work that I feel should be done. That's actually how I approach most of what I do. I'll do exactly what I'm asked, but as a professional I almost always offer up my opinion on the situation.
I certainly wouldn't say you are directly responsible for it, but it wouldn't be very professional to not say anything about it. Oh and I'm not suggesting that you have to weedwack your way through the entire codebase to find any potential issues...just that if you come across them in what you are doing, don't sweep em under the rug.
I think you should make your client well aware of the situation. Let them know what risks are in the current system they are running, and how much it will cost to fix it and what the risks are if they don't. I don't think you can be liable (but I am not a lawyer - contact one if there is a real pressing legal issue) for pre-existing problems IF you make the client aware that you are aware of them.
How is this handled in other situations? If an engineer comes across something very poorly constructed but is only given a budget for a very small tweak or fix, is he still responsible for all the other problems?
Spec It Out When freelancing you should always provide the client with a fully detailed spec of work broken down into the smallest sections you can manage and your estimated hour requirements for each section. If you notice glaring issues in their current codebase that you would be willing to remedy, create a secondary specced estimation of certain things you believe you could fix and make sure to include why it's important to fix the issues. Best Case Scenario In the best case scenario you get some additional work and the client gets an improved application.
Worst Case Scenario In the worst case your client declines your quote on fixing their existing bugs/security holes/code bloat. This is not a bad scenario to be in as you have cleared your liabilities in the event something goes wrong in the future. It also gives you a good indication to not pursue further work for the client as they clearly has no concern for security or quality of work.
Just be glad when you have finished the project.
As a freelancer, I inherit a lot of poorly developed custom web projects. Most of these projects do not safeguard against XSS and SQL injection. On some of these projects, I've been the sole developer for over 1 year.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.