Career advice

Background: I was working as a web developer and internet marketing guy for a company that got acquired in Feb. this year. Our company was sold for $90m and is now part of a new company that has been buying up everyone and has already spent $200+ million in acquisitions in the past 4 months. When we got bought out they fired everyone in our division except for me and the director of operations for the digital division. They sold all of our web development/internet marketing/social media management/etc. contracts to a another company that the CEO had worked with in the past. They're planning on buying this company before they attempt to go public at the end of the year. The company is still building websites with ColdFusion 9 & the Mach II framework, meaning every single website they are selling is vulnerable to a remote file upload exploit unless patched, which they are not. I told my director of operations as well as our COO this but they are older and either don't care or just don't understand the seriousness of the vulnerability. What can I do to make them see the important of security (short of hacking their damn site and rooting the server )?

Honestly it might seem like the wrong thing to do but it might be best to simply say OK and move on especially if they are as ignorant as you claim. Pushing the issue might hurt your career especially with people who aren't afraid to aquire and fire all day.

Well, the first thing you could do is announce it on a public forum and see what happens

More seriously...schedule some time with them in a coffee shop and a virgin laptop, and demonstrate the hack on a test version of the site (or do something with it that's relatively innocuous, although that kind of ruins the impact). If that doesn't work, or they refuse, then write up something fairly official which says that you've told them about the flaw, you've suggested a fix for it and that you won't be held responsible should somebody other than yourself use the vulnerability to damage the company (or their clients) in any way, and then ask them to sign it. If they ask why, explain that you can see it ruining them and you don't want to be caught in the fallout, especially since you know how to fix it.

You really think either of them care about that? No, they don't. They care about bottom line and numbers. They will fix that problem, which is not a big issue, after they rip the new company to shreds. It will not stop them from acquiring the company lol.