Mark Dain Found a minor security vulnerability at work; some genius decided to encrypt the user ID cookie but there's no verification so it's fairly easy to tamper with (take another number from a different cookie); doing this will result in you being logged in as a different user. How do I ethically deal with this? Should I report it? Bear in mind this is a company who's fine with our SSL setup, despite the fact it's vulnerable to POODLE and others (but not heartbleed! That's the important one).

Martijn Note that temporing with cookies itself might be a violation of computer hacking laws. Something to keep in mind when reporting these type of leaks. The same goes for modifying query strings. While keeping that in mind it is still a good idea to disclose responsibly. Always. Just be sure not to incriminate yourself and ask permission before trying if the "theoretical" attack is possible.