Zero-Day Vulnerability Discovered in Security Company's Own Website Has Been There Since Day Zero

A critical zero-day vulnerability has been discovered in the website of Bastion Cybersecurity, a prominent security consulting firm, and forensic analysis indicates the vulnerability has existed in the codebase since the site's initial deployment in 2012 -- making it, in a technical sense, the most literal zero-day exploit in the history of the field. 'It's been there since day zero,' confirmed security researcher Yuki Overflow, who discovered the vulnerability during a casual browse of the company's website. 'They launched the site with a SQL injection vulnerability in the contact form. It's been exploitable for thirteen years. The vulnerability and the company have the exact same birthday.' The vulnerability, a textbook SQL injection in the 'Message' field of the site's contact form, would allow an attacker to extract the company's entire client database, internal communications, and billing records. It is the type of vulnerability that Bastion Cybersecurity routinely identifies and remediates in its clients' systems. 'This is the cybersecurity equivalent of a dentist with no teeth,' said Overflow. 'Except the dentist has been telling everyone else to brush for thirteen years while not owning a toothbrush.' Adding to the irony, the vulnerability exists directly below a homepage banner reading 'Protecting You Since 2012' and approximately three inches to the left of a testimonial from a satisfied client praising Bastion's 'meticulous attention to security detail.' Bastion's CEO, Conrad Perimeter, has acknowledged the vulnerability and described it as 'an unfortunate oversight that does not reflect the quality of our client-facing work.' 'We focus on securing our clients' systems,' Perimeter explained. 'Our own website is maintained by a different team. A very small team. A team of one, actually. An intern. Who left in 2013.' The intern, reached by email, said he was 'not surprised' and that he had flagged the vulnerability during a code review before his departure. 'I left a comment in the source code that says FIX THIS in all caps,' he said. 'It's still there. I checked. The comment and the vulnerability have coexisted peacefully for thirteen years.' Bastion has patched the vulnerability and has announced a comprehensive security audit of its own infrastructure. The audit will be conducted by an outside firm. When asked why Bastion would not conduct the audit itself, Perimeter replied, 'I think that question answers itself.'