That could work but plenty of quiet heros weren’t promoted for fixing critical bugs.
replyThey fixed it too soon. You have to wait until the effect is visible on someone's dashboard somewhere.
replyGoodhart's Law strikes again... "When a measure becomes a target, it ceases to be a good measure."
replyYou have to make sure it doesn't arrive at you before it is on the dashboard. Otherwise you are why it is blowing up the time to fix a bug metric. Unless you can make the problem so obscure other smart people asked to help you can't figure it out thus making you look bad.
replyThat is in no way guaranteed. Sometimes finding too many security issues makes you unpopular.
replyTwo years afterward, we got hit with ransomware. And obviously "I told you so" isn't a productive discussion topic at that point.
That's not preventing the issue, though. The closest you can get to this is to have another competitor be burned hard and demonstrate how your code base has the exact same issue. But even that isn't guaranteed. "that can't happen here" is a hard mindset to disrupt unless you yourself are already a C suite.
reply