Boss wants me to falsify a report. How should I document this unethical demand?

Question

I work in IT, and my manager is trying to get my coworker and me to submit a falsified security scan to a client of ours. Basically, he wants us to submit a security scan modified to exclude vulnerabilities that were discovered during the scan. This is part of a larger project that we are working on for the client.

My manager reports directly to the company CEO, and the CEO himself is pressuring my manager to get this project done no matter what. The CEO doesn't care if corners are cut or if anything unethical is being done.

For me, the issue is very simple. I will not do what my manager is asking as I find it to be highly unethical. Because this is part of a larger project, I have been working on other things in an attempt to give myself some time to figure out what to do. I am also trying to figure out how to best document what my manager is trying to get me to do, which brings me to my question.

So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing. Yesterday, I asked him in writing what he wanted done with the security scans and he wrote back to me, "we already discussed this, you know what to do."

Because I will be putting my job on the line when I eventually have to tell my manager "no", I want to at least be able to document what my manger has asked me to do. I don't currently have any way to prove that he has even asked that I do something unethical. Is there a better approach that I can take? I am more concerned for my professional reputation than my job.

Are you supposed to provide it to him to pass along or do you send it directly to the client? — SemiGeek, May 23 '19 at 16:06
He doesn't want to submit the scans himself. He wants us to do it for him. — , May 23 '19 at 16:08
Regardless of what you end up telling your boss, I hope you have started to look for a new job. The client would probably look very highly on the fact that you are unwilling to cheat them. — David K, May 23 '19 at 16:12
@it-guy You might find this page useful: California Whistleblower Protection Laws — David K, May 23 '19 at 16:24
OP, this question is very similar to what you are facing, I think the answers there may also be helpful to you. https://workplace.stackexchange.com/questions/105378/company-doesnt-follow-security-policies-advertised-to-clients — Anthony, May 23 '19 at 19:58
Do you know the motivation for the false report? I ask because if this is as innocuous as ignorance to usual InfoSec policies, as a few have mentioned, education on this possibly being more a matter of having remediation plans vs. being perfect may go a long way. — SemiGeek, May 23 '19 at 21:15
Did your manager give a reason for modifying the results? Were you asked to remove all discovered vulnerabilities from the report, or only select ones? — S. Grey, May 24 '19 at 14:38
@DavidK It depends on the client. Its quite possible that the client themselves merely wants a regulatory box ticked without needing any action, and the OP's bosses are just doing what the client wants. — Paul Johnson, May 24 '19 at 15:54
There are a few things which can be done to „whitewash“ the report like retesting, mitigation plan, vendor statement - i would suggest them to your manager. If they insist or makes the modifications theirself make sure you don’t appear as author. I don’t think however it’s a personal legal problem for you follow along. — eckes, May 24 '19 at 19:23
Does your company have an Employee Handbook, or other set of published employee policies? There may be a section or policy in there about interacting and communicating with clients, as well as ethical and honest behavior, that could give you some guidance. I always read the Employee Handbook whenever my corporate overloads ask me to sign a form that states I've received and read it. Always included are a bunch of policies that feel very boilerplate and can be summarized as "Don't be a %$!~#@ Jerk.", and I always wonder why people need to be reminded to be a good person. — Adam Porad, May 25 '19 at 00:25
I am stubborn, and I will not compromise on something like this. I have actually responded to the e-mail exchange that you have by saying that I simply will not falsify data, but I will turn over the results, and if you wish to falsify the data, then have at it. I did blind copy others, as well as my personal e-mail account. — Ron Maupin, May 25 '19 at 06:37
Working on other subprojects is avoidance. You should put most of your avoidance bandwidth into circulating your resume, becuse there's no ending here where you keep your job. — Harper - Reinstate Monica, May 25 '19 at 21:32
Related : https://security.stackexchange.com/questions/11025/what-should-i-do-when-my-boss-asks-me-to-fabricate-audit-log-data . I was searching for another question where it basically says the following : even though there are certifications on the security field, it is a very little field where the most dominant factor is trust. If you ever get implied in some judiciary stuff, that ma be enough to give you headache for your career if not end it at all. — Walfrat, May 27 '19 at 07:08

score 145 · Accepted Answer · answered May 23 '19 at 15:51

145

He probably does not want to put the request in writing because he knows that can get subpoenaed later. I think there are two steps for you to take:

Document what you have been asked to do. Write down the dates of these directives and these conversations to the best of your memory. You should also backup the email exchanges this request has been alluded to, even vaguely. Written down accounts are not 100% bulletproof evidence, but it holds more sway than if you are just trying to remember it later.
Inform your boss that you find what he is asking you to do to be unethical and you are unwilling to change the report or sign off on someone else changing the report (or whatever the case may be).

I feel for you being put into this situation, but you are doing the right thing in sticking by your ethics.

answered May 23 '19 at 15:51

dbeer

11,944
8
31
39

137

Perhaps send a confirmatory email back to the boss. Re: Our discussion yesterday; you want me to X. Y. Z. Please confirm I have understood correctly? – Stewart May 23 '19 at 20:52
2

Is it possible that such emails help document things even if my manager doesn't respond? – May 23 '19 at 22:38
20

@it-guy Yes they help, even if they get no response - generally they will create logs, particularly time-stamped/etc. and are hard (but not impossible) to fake (would likely require the e-mail service owner to get involved) - plus they are easy to forward on to whomever when it gets escalated (boss's boss, lawyer, etc.) - and if the files are mysteriously purged, that doesn't look well either – user2813274 May 24 '19 at 00:10
4

Depending on local laws you might be able to record his asking you verbally. – Loren Pechtel May 24 '19 at 04:37
12

@it-guy: Your manager not responding is not enough to hold up in court by itself to prove the manager's guilt, but the absence of any mails stating "I never told you that" can be enough to ask the manager why they never responded (and if they claim they did, to prove that they did so). Even if that's not enough to convict the manager, it should be enough to not convict you of wrongdoing (note: I AM NOT A LAWYER) – Flater May 24 '19 at 10:31
35

Not just for sticking to your ethics: OP's boss is setting him/her up as the sacrificial lamb if it goes south. – Jared Smith May 24 '19 at 11:44
3

@Flater Or one step further, after writing an email and only getting a verbal answer, send another email "like you told me in person, I will now go ahead with this". No answer to that is even more compromising. – R. Schmitz May 24 '19 at 11:45
6

@R.Schmitz: There is a matter of overdoing that though. I agree with what you say and it is the best CYA approach (which does seem fitting for OP's particularly unethical situation) but I just want to add that it shouldn't be blindly applied to just any casual "maybe I'll need to cover my ass someday, who knows?" situation as it will create friction between you and the manager. – Flater May 24 '19 at 11:47
4

@Flater Indeed, it is already going in a ridiculous direction and only acceptable/advisable because you're in danger of unwillingly becoming a criminal. – R. Schmitz May 24 '19 at 11:50
3

@Flater FWIW, after any verbal conversation I have with anyone, I always follow up with an email: "Per discussion: ...", everyone appreciates it. (It helps us avoid the inevitable "what did we decide to do, again?") If OP gets in the habit for little things, then it can work for this one very effectively as well. (Of course, it assumes OP already does that.) – Der Kommissar May 24 '19 at 20:01
5

Don't overlook the bcc to your personal email account. It will prove that you sent that email and when, if push comes to legal shove – May 24 '19 at 23:13
Update your CV/resume and start to find your next job, far far away from these yahoos.

T.J. Crowder

May 25 '19 at 15:46

Prep for the worst case (what you’re doing now) — update resume, get legal council ready, prepare your notes, record contact information of client 2. Send confirmation to your boss — confirm that you can send a full report of good scans and aggregate the list of unsuccessful passes that are still being explored (perhaps you don’t need to be completely dishonest and only need to present the information uniquely) 4. Go up the chain above your boss and notify of risks associated with sending the report 5. Blow that whistle

– vol7ron May 26 '19 at 14:34

score 83 · Answer 2 · answered May 23 '19 at 17:57

83

I am not a lawyer, but this seems to go beyond the ethical realm into a legal one.

I work in IT, and my manager is trying to get my coworker and I to submit a falsified security scan to a client of ours.

This sounds like fraud.

Contact a lawyer immediately to determine how best you can protect yourself, and to find out if you have done anything that makes you potentially liable.

A lawyer may tell you to resign immediately.

Documentation is fine, but do not make personal copies of client or company information, such as taking pictures on your phone, saving company email threads, or sending documents to a personal email account. If you have already done so, delete those immediately.

If your employer ends up getting found out (which I certainly hope is the case), your employer could retaliate by filing a lawsuit or criminal complaint against you (no matter how frivolous) based on your handling of company data.

answered May 23 '19 at 17:57

mcknz

25,182
9
85
106

5

A lawyer might not advise you to do the ethical thing. If it's safer legally for OP to ignore what's happening and leave, then that still leaves his employer's customers highly vulnerable to whatever the vulnerabilities allow. – forest May 24 '19 at 04:03
15

@forest my assumption is that a lawyer would be able to advise on how to safely be a whistleblower if that is what the OP wishes to do. – mcknz May 24 '19 at 04:22
1

@mcknz the lawyer will advise the client to cover his assets and stay in the legal white or light-gray area, damned be ethics. – Mindwin Remember Monica May 24 '19 at 13:00
I mean, of course it’s fraud but personally I find ethical concerns more compelling than legal ones. That said, I entirely agree with the advice given in this answer. – Konrad Rudolph May 24 '19 at 14:27
8

@Mindwin: A lawyer can't generally advise a client to break the law, but if there's any legal way to accomplish the OP's goals -- including ethics-related goals -- the lawyer can advise him how to do so. Lawyers don't just say "One legal option is X. Now that I've told you about X, I don't have to give you advice about any other options." – ruakh May 24 '19 at 17:55
7

@Mindwin I mean, there's a very very high likelyhood that the ethical action and the legal action in this context line up. Ethically, lying about security vulnerabilities is bad. Legally, lying about security vulnerabilities (that your company was presumably contracted to help with, otherwise why are you doing a report on it?) is probably fraud. – Delioth May 24 '19 at 19:24
1

You might add a note that the OP might be personally exposed for criminal fraud. An employee is generally shielded from the mishaps of their employer. But knowingly falsifying documents about actions for which a client has paid money likely does rise to the level of criminal fraud. "My boss told me to" may not protect the OP. I would add a heading to this Answer to emphasize: Consult an attorney. – Basil Bourque May 25 '19 at 15:40

Peter · Answer 3 · 2019-05-27T13:03:51.277

So far, everything that manager has asked me to do related to this has been spoken verbally. I have made several failed attempts to get him to put anything in writing.

You don't make him put anything in writing. You put it in writing for him.

To: My Boss

Subject: Work order

Hi Boss,

As discussed, I put [unethical feature] you approached me about yesterday on the backlog. I still have some questions on the legal side of things and would be happy if we could talk through those before we start working on it.

Best, it-guy

You might then have a meeting where he tells you to go ahead with [unethical feature], not to worry about the legal side, and instructs you to no longer write emails summarizing your conversations. You will forget the part about not writing emails and send something like this:

To: My Boss

Subject: Work order, follow up

Hi Boss,

Just summarizing the discussion from 2 pm: You already checked with the legal side and the proper way to go about this is that I need to do [unethical thing] and [unethical thing]. I will probably have it ready by tomorrow afternoon.

Best, it-guy

If he's ambiguous, you remove the ambiguity in the summary, which makes it his responsibility to clarify if you misunderstood.

Do not forget to print out the emails and take them home (or just snap the screen with your phone), because companies who are willing to break the law are occasionally willing to "lose" emails.

"print out the emails and take them home" According to mcknz's answer, this may be very inadvisable. — Max Barraclough, Apr 27 '20 at 10:50

score 14 · Answer 4 · answered May 23 '19 at 18:04

I can speak to part of this from my experience as an infosec coordinator at a SaaS business. (I can't speak to all of it, because my employer has a culture of compliance; our executives would never play this game.)

In most cases these requests come from a part of the customer's business who are simply checking boxes before signing off on new vendors. On cynical days I think they just weigh these reports, or wordcount them.
It's sometimes possible to submit a truthful scan to a customer if you include an explanation and a remediation plan. Many customers will accept that, and it will boost your credibility: corporate infosec people like transparency. (They will follow up to make sure you remediated the situation, however.)
It's perfectly reasonable to send just a summary of a scan to a customer; the details of your systems and vulnerabilities are actually nobody's business but yours, and disclosing them increases your attack surface.
I suppose it's possible to submit a fake scan to a customer to get the business. But you'd be wise to prepare a remediation plan and ask your boss to agree to implementing it if you do that.

If you do send a fake scan, and then some cybercreep successfully attacks you, what could happen? Unless you are in health care, I suppose the worst-case scenario is Equifax: disastrous publicity for your customer and you. Or your owner could send your CTO onto Fox News to lie about it, like they did when Panera had a breach. But it probably won't be that bad.

If you are a health-care HIPAA associated business entity and you have patient data, and it leaks, and somebody was negligent, that is a crime that pierces the corporate veil, meaning individuals can be criminally liable and can't hide behind an LLC. In that case you'd be wise to refuse to sign off.

Look, it's a pain in the ...neck to work for a company that doesn't have a culture of compliance. You know that. But, it's possible to use this as an excuse to start pushing for change in your company. My suggestion number 4 might be a way to get that going.

The right question for you, and for your executives, is "how can we make our customers' data safer?" Compromising about this just might get you further along that path. Just something to think about.

If you do compromise, I suggest you write a "memo to file" describing the situation, and the instructions given to you, and your actions. Print it out and take it home. It's just for you, not for your executives or colleagues. It will help you remember exactly who said what and when if you have to describe this incident a few years from now.

+1 for mentioning a compromise solution. I like how its not directly confrontational but at the same time can be used for future action. As a InfoSec professional myself, I know full well sometimes the best solution may not be the ideal — Anthony, May 23 '19 at 19:55
The remediation plan for committing fraud might be to make sure you have enough to post bail. — mcknz, May 23 '19 at 20:11
In reality, attacking people—playing the unethical card—is not a very effective way of getting them to change. And anybody who reads the news can see that getting people to change is really hard, and really urgent. — O. Jones, May 24 '19 at 00:30
The worst that can happen? Remember that engineer that just went to jail for several years for faking test results for stuff that was going into space? — Loren Pechtel, May 24 '19 at 13:57
Re: I wouldn't exactly call Equifax publicity "disastrous". They're still perfectly in business and their actual customers don't really seem to care. It was definitely bad publicity, but it wasn't really a disaster if the company responsible is still flourishing 2 years later. — Delioth, May 24 '19 at 19:27
Interesting interpretation Delioth.. https://gizmodo.com/equifax-is-finally-getting-kicked-in-the-money-bags-due-1834976747 — , May 24 '19 at 23:08
The OP's post seems to indicate that he is being asked to not tell the client about vulnerabilities that they found, rather than the reverse. — Michael Hampton, May 25 '19 at 06:57
@Delioth - Equifax doesn't have customers. They're one of the three companies that together basically have a strangle hold on a sector that shouldn't be in the hands of private companies. My parents are not happy about the time they've had to spend on the phone getting their credit frozen and unfrozen due to this bs. — Mazura, May 25 '19 at 19:12
@Mazura: Equifax definitely has customers, just not you (or your parents). Lenders and background checking agencies pay Equifax big money for access to those reports. The people they collect reports on are not customers, they are the products Equifax sells. Regarding "should not be in the hands of private companies", all the other options would be much, MUCH worse. — Ben Voigt, May 26 '19 at 20:36

score 6 · Answer 5 · answered May 24 '19 at 15:35

I, unfortunately, have been in this situation a few times in my career.

First, you cannot continue working for this person, start looking for another job.

Second, I suggest you do what another suggested. Write it all in an email and ask for a yes/no confirmation. In that email, I would point out in the email that what you understand him requiring you to do is unethical and possibly illegal. "Confirm with Yes or No, or I will not do this unethical and possibly illegal thing." I have requested a signed document or digitally signed email before, and they always refuse.

One time, I was asked to sign off something as passing vulnerability tests and I would not because they wouldn't even allow me to have the scan run. The feces hit the air movement device later. I was contacted by a Colonel in the Inspector General's office about 6 months later asking for a written deposition, because I could not produce copies of the emails (I could not take them with me).......lots of firings, but I was already gone....By then I was on the other side of the world.

score 3 · Answer 6 · answered May 23 '19 at 17:12

3

Dan and dbeer covered much of my first thoughts. Copy what pieces you can and manually log the rest. Some of this is risky, but I'm focused on your assertion you are willing to lose this job over this (and I applaud you for it).

You could also respond back to his noncommittal email with copies of the original result and a doctored draft with "DRAFT" watermarks and bcc a personal email.

"Per our discussion, here are the original and a draft of the scans with the redacted results." Assuming he verbally tells you that is what he wants and to send it (and maybe to stop emailing proof), at that point you are somewhat cornered into telling him you cannot comply with sending falsified scan results. If you want to salvage the relationship, a discussion around remediation plans might be in order. Most audits I've been involved in are more interested in truth followed by a plan to improve risks. But that may not hold here.

He may check email logs and know what you're up to. If so, he should also know you have documented his malfeasance. Hopefully that would give him pause before threatening to ruin you. He might do something like threatening you with some sort of NDA by sending yourself that email. Remember that's a desperation move. The only way he can prove it is by providing evidence that he's trying to defraud a client.

answered May 23 '19 at 17:12

SemiGeek

5,557
14
28

Emails are great so long as they aren't hosted by the company. It's common a company will take over your email upon departure (or firing) so the OP's boss could easily log in and delete the email. So it's a good idea to export everything, at least once a week to make sure you're at least covered especially when someone is telling you to do something unethical. Nothing is stopping them from continuing their unethical behavior and gain access to your email and deleting the appropriate items or even faking communications. – Dan May 23 '19 at 17:40
1

Also if you aren't already it might be a good idea to digitally sign your emails. That is 100% proof you sent it and something that can't be replicated by a bad actor unless they compromised everything you have. – Dan May 23 '19 at 17:42
3

Emailing info might protect the OP, but I would not send any company or client data to a personal email. This could violate an NDA or similar agreement. If you have a gmail account, for instance, the OP would essentially be hosting proprietary information via a third party. – mcknz May 23 '19 at 17:49
@mcknz That's definitely a consideration. IANAL, but personally, I'd be willing to pit that risk against willful fraud. – SemiGeek May 23 '19 at 18:53
1

I would write explicitly in the email that you are opposed to this, as it is illegal. Also advise your boss explicitly not to remove the "draft" watermark and use the fraudulent report. And print out a copy of the email and the document, storing it somewhere that they won't readily find it. – Astor Florida May 24 '19 at 11:50
@Dan Digitally signed email messages are not "100% proof you sent it"; how hard it would be for someone to get hold of the key and sign a message you didn't write depends on the environment. In corporate environments, where the "attacker" usually has full control over the software and hardware you're using, they might easily be able to decrypt your key. (It's probably stored on a company drive, and they may have, e.g., monitoring software that captures your passphrase.) In this particular case, I see no need to digitally sign the messages anyway; you can later testify to what you wrote. – cjs May 26 '19 at 07:04
@mcknz At some point information is no longer protected by NDAs or the such especially when someone violates laws or ethics. When one person does wrong, you're no longer bounded by terms. It's basic contract laws in most developed nations. Let's say this is medical and the employer falsified results to sell their products that might prove fatal. Would you want someone to disclose that? Or would you want someone who follows their so-called NDA? – Dan May 28 '19 at 13:38

score 2 · Answer 7 · answered May 24 '19 at 14:15

2

In the high tech company I work for, we have a role in the organization called an Ombudsman. It's their independent duty to offer advice and guidance in ethical/legal issues like this. In our company it can be completely anonymous if needed. If your company has such a role, I would suggest contacting them for guidance, as that is their job and duty.

answered May 24 '19 at 14:15

Milwrdfan

268
1
5

useless advice for a manager that reports directly to the CEO, who is applying the original pressure. Read the question – May 24 '19 at 23:10
4

The job of any employee, whether that be HR or an Ombudsman, is first and foremost to protect their employer. Unless this Ombudsman is an independent third-party (maybe paid by the government or the union), they will probably not be helpful. Do not, under any circumstance, ever assume that someone employed by the same employer as you, will put your interests over your employer's. There are certain, legally-defined, specific roles that have certain protections (e.g. a GDPR Data Protection Officer cannot be fired for doing his job), but that still doesn't mean that they are independent. – Jörg W Mittag May 25 '19 at 10:31
1

It is not in the company's interests. If the Ombudsman is acting on behalf of the board then he will shut this sordid mess down. – user2617804 May 26 '19 at 09:59

score 1 · Answer 8 · answered May 26 '19 at 09:39

What worked for me in the past: Make a report which describes what you actually did, including passages which what you should do/plan to do, but mark these explicitly as "not yet done", send it to your boss and tell him to redact it as he sees it fit, sign it off and send it to the customer.

A lot of people suddenly become much more careful if it's their signature and not their subordinates signature (in my case it was about an order to their "favorite supplier" instead of the cheapest one).

If your boss still wants to do this, then run from that company and depending on the severity of the situation pass the knowledge to appropriate institutions (-> legal question, talk to a lawyer).

Dan · Answer 9 · 2019-05-23T16:11:36.800

0

My thought is if you have the original scans and the modified scans, then simply burn the actual scans to a cd and drop it in the mail to the company. Include an encrypted text file with a code phrase that identifies it to you. If you ever need to go on the stand, so to speak, you can describe what is in that encrypted text file so you'll have a standing. It's also great if your boss throws you under the bus in front of the company, and you can say you included a encrypted file with a code phrase only you'd know. I think that is the best approach in terms of insurance. Otherwise I think your boss and his bosses can make up whatever they like and you have virtually no proof especially if they told you verbally.

edited May 23 '19 at 16:11

answered May 23 '19 at 16:03

Dan

21,133
4
33
71

4

I am not a lawyer. I agree with the spirit of this answer, but I think the OP could potentially get in trouble for unauthorized release of company information, even if it's for a good cause. Better to get legal advice. – mcknz May 23 '19 at 17:04
1

Good point about release of information, but that is information that is supposed to go to the client, whether it should go prior top being "doctored" or not is a different question... – Solar Mike May 23 '19 at 17:13
@SolarMike I would assume that to be the case, and that the OP would hopefully be protected because of that fact, but the law is weird and not always fair. – mcknz May 23 '19 at 17:22
1

@mcknz oh yes, "a man is innocent until proven broke"... – Solar Mike May 23 '19 at 17:24
And when the client calls his company to tell them about the CD, and OP is known to have refused to fake a security scan, (there can't be that many vendors, and can't be that many people doing a security scan... that's specific work) then OP gets to decide if it was worth it. – J. Chris Compton May 24 '19 at 14:02
@mcknz NDAs are used to protect trade secret so you won't go to a different company and disclose trade information or take patent information and go to a different company and disclose information. It does not protect the company from lying to their customers by falsifying reports. Unless both parties agree that they want to lie on the report but I suspect the company in question did not agree to a false report. – Dan May 28 '19 at 13:47

score 0 · Answer 10 · answered May 27 '19 at 22:59

I think that there is another option here that people may not like but that is being ignored. It revolves around the idea of who is the person who is committing fraud and how. If your desire is to continue to work at the company but avoid doing anything that could implicate you then I would recommend the following.

Create the version of the report your boss asked for then send it to him with the original attached and say the following.

I have created the report (with omitted answers) that you asked me to prepare for {company} you will find it and the original report attached to this email for comparison. I want you to know that I have prepared the report in the hope that you will us it for internal purposes only. I truly believe that the decision to share the edited version of this document with {company} puts our company in a very dangerous position as some of the issues in the original document are real issues that might be exploited. In this light I urge you to use the original.

I would then BCC the email to a personal email account as well as print out the full email (the raw email from your sent folder with all of the headers). If your boss replies and tells you to send the email to {company} that is the point where you say

For my own personal liability concerns I cannot in good conscience be the person to email this to {company} and I hope thats not a problem for you

I would say that this does a couple of different things:

a) independent of Fraud or the situation your boss gave you a work task to create a report and this may be a situation where you could get fired for not doing it creating the document and calling out it was requested makes it clear you are willing to complete tasks from your manager (I truly understand that people wont agree with this but I see it as walking up to an ethical line without crossing it)

b) by providing the report in an email to your manager with the original it makes it very clear that the document should be considered for internal purposes. If your manager decides to use that document it is your manager who has committed fraud not you. (I will address what to do if he actually sends it later)

c) submitting this to your manager gives them a written chance to do the right thing. your manager might change their mind... hopefully.

d) BCC'ing printing and saving the email provides you with important physical evidence that might be necessary if you experience negative repercussions from this action

Finally I would argue that making the report isn't the difficult ethical question. I would say that

what is your responsibility if you know for certain that the your manager/ the company has sent the document thereby committing fraud?

is a very complex question, I could make several recommendations in that vein but the true one that you absolutely should do is.

If your boss uses the edited report and as a direct or indirect result your company gains or otherwise continues contracts with the other company. Don't post on stack exchange, spend a couple hundred dollars and get advice from a labor attorney (that will be advice that has malpractice insurance)

score -2 · Answer 11 · edited May 25 '19 at 15:25

-2

For me, there are two alternatives:

Do it, but protect yourself

Keep a document with the actions you've took, with a date of creation / modification younger than the mail you'll send to the client with excluded vulnerabilities. In this document, put by memory your discussions with your manager, the excluded vulnerabilities, and link to the real report.

Then take the actions you were told to, and send the mail with the edited report to your manager warning him for the vulnerabilities (or find another mail you already sent talking about it).

If this is found out by the client, you will be protected (and even if they ask you why you did this unethical thing consciently, you could say that you were pressured to).
Find a new job and get out ASAP

This is a toxic environment and/or a toxic management you have here. Try to get out without burning bridges and find another job before that. Win as much time as you can without having to edit the report, so you can leave before having to do it.

َ

edited May 25 '19 at 15:25

Peter Mortensen

1,003
1
8
8

answered May 24 '19 at 12:13

S. Miranda

149
5

1

"send the mail with the edited report to your manager" - This gives me a good idea: Although the manager refuses to respond in writing, you could still document what's happening by sending the un-edited report to the manager, commenting on the vulnerabilities, mentioning that this is the report that should be sent. This way you document that you and your manager were aware of the issues and have some evidence that you did address them properly. If still only the edited report gets to the client, the fact that this happened despite your documented concerns should get you out of and the – JimmyB May 24 '19 at 12:22
manager into focus. – JimmyB May 24 '19 at 12:22
8

Falsifying the report should in no way be an option here and I dont see how any decent professional would even consider it. Just look at what happened to those developers in the BMW emmisions scandal. – ayrton clark May 24 '19 at 13:31
@ayrtonclark I agree, but in some cases you can't really choose. i'm not in this person shoes : if he is in a situation when he can't handle to lose his job, the only choice left is to follow the instructions, covering himself as much ah he can – S. Miranda May 24 '19 at 13:37

Boss wants me to falsify a report. How should I document this unethical demand?

11 Answers11