Just speak personally, but make things unambiguous.

That's a great video, but it might be a good idea to remove the company specific stuff - just in case the manager sees it, I'm not too sure how they'd take seeing that there.

And then leave the implied outcome hanging and let your colleague decide what to do.

I think the answer depends on what code is visible in the video. If it's a "Hello, world!" type fragment, some loop that's meaningless without larger context, or an implementation of a simple standard algorithm like linked list etc., I would not consider it to be a big deal; StackOverflow is full of such code and no harm is done. Simply speak to your colleague and suggest they be careful when posting videos of source code so as not to leak anything important.

If one can see in the video a fragment of something critical to your company, such as an implementation of a proprietary algorithm, or encryption, or user authentication, you need to act to make sure the video is removed ASAP. Where I work this would be a major security incident that must be immediately reported to the security response team and to management.

How did he post the code? Screen shot? Video with his monitor in the background? Are machine readable text that I could copy, paste and compile? You say "it's blurry and hard but not impossible to read", so I assume it is a video with a monitor visible?

If that is the case, then let's be serious here: Nobody will be interested in that piece of code. The source code that I'm working on is highly valuable, but if one page of it is shown in a video, it's not of any use to anybody. One page, randomly picked, without any context, is completely useless to anybody. Nobody will even try to copy it.

Unless there are comments in the code that you wouldn't want to share like "this function contains the code where we siphon off the user's address book and send it to our server, and the losers will never find out", then very little harm is done.

my boss finds out I knew about it, I think I would be in legal danger

If that code is important and has any security risk - Most definitely. You may only receive a warning if it is just generic code.

However I feel this line almost answers your question. You already said that it's your first time working with this person, you have no loyalties. It may be that the colleague in question doesn't know any better and needs educating.

You should tell your colleague to remove it and then tell your manager of what has happened and go from there for the off chance that the manager does see it you want to make sure he's informed so that your own job and financial safety is held.

You don't really have a choice: Your employer would probably tell you that you should go directly to your supervisor and report the incident. I don't think this would be ilegal, but it is probably against information security codes or regulations inside your company.

Now, as a human being, you could also talk to the guy first, tell him to delete that, and not post anything of the sort again. But you must understand the risk of this if HR of a supervisor were to find out.

If possible present the video (in it's context) to your Information Security team without mentioning who the employee is, something along the lines of "I came across this video from one of our employees and it looks like they may have accidentally caught some of our code in the video". If you are asked who the employee is, it is better for you and the company to tell the information security team and let them handle it.

Even if we were to remove the video content, there may be policies against the use of recording devices within the workplace (phones with video/audio recording capabilities are generally included for the purposes of these policies).

Best case scenario: all employees are reminded of their responsibilities and the employee responsible receives a soft strike on their record.

Worst case scenario: the employee loses their job and faces a civil-case.

Handling the situation yourself could carry more risk than ignoring it or reporting it to the information security team. While I don't advocate ignoring it, it does provide you the option of deniability "I don't interact with x on the platform so I couldn't have seen it" (admittedly the posting of this question could reduce your ability to rely on that). Handling the situation yourself though, opens you up to the employee continuing this behaviour and you handling it, eventually you get fed up, report it and the employee throws you under the bus in desperation/retaliation.

As a bonus for one of your comments on your bosses not liking social media, this is a good example of why. People tend to forget that social media is not like hanging with a group of friends at your home, it's more like hanging with a group of friends in a crowded pub and you never know who is watching or listening.

I don't fully agree with all the answers so far because they leave too much wiggle room.

1. I am assuming that posting anything on social media that includes software or any information about your employer is against policy.


2. If all your code contains a boilerplate copyright blow, your co-worker has violated that copyright and could be in legal trouble depending on copyright law in Italy.


3. You now know about this violation, and it is your duty to your employer to report it. Do NOT tip off your co-worker, when he gets in trouble he is going to be looking for someone to blame and he might use you

Most employers take this kind of thing very seriously, often too seriously.

Now, not every company is like that, but the way you phrased the question your employer is not one of those places that encourages people to participate in social sharing.

Some employers have anonymous tip lines. You may consider using this and providing them with any information you have including the employees name and the site/link he posted to.

At a minimum inform you boss. Keep it factual and just express your concern and that you felt it your duty to pass it along and let them handle it how they see fit.

The person is new to the workplace, suggesting they are quite young. I would recommend letting the manager know about it. You can tell the manager (assuming they won't consider it themselves), that a firm talking to by them now would make it clear what a person's responsibilities are in the professional environment and what is not acceptable despite the ease with which people post all sorts of personal information online.

It is professional to call out security violations.

Whenever you see something dangerous happening, or a non-dangerous mistake for that matter, it would be professional to bring that to the attention of those who did it and those who can fix it. In the best case, those who did it and those who can fix it are the same person, and there is no need to deliver a "reprimand" in public.

To give you a trivial example, I've told juniors, peers, and seniors that they have forgotten to lock their screen while they were away from their desk. By and large, they said oops, sorry, I'll be more careful next time and I've left it at that.

See something, say something, but I'm not the security manager.

I've also seen things which were more of a pattern rather than individual mistakes. In those cases I went to the management and told them we have a systematic problem, it needs a systematic answer, without naming any specific names. (I'm fortunate that I trust them not to press me on individual names.)

Other options:

• Mention the topic of "social networks"in a casual way at lunch and clearly state that you don't think that anything related to work should be visible in a video posted there.