OK, so I have a question about security testing and whether or not I crossed a line...

I work at a very small company and we have a test environment running on virtual machines firewalled off from the rest of the network running under another devs desk. I have to jump into another server first to get into this environment and the only sensitive data is our source code (all customer data has been wiped from this replicated environment).

When I read about the following vulnerability I decided to test it out on our environment:

http://seclists.org/fulldisclosure/2010/Oct/257

I know I'm acting like a script-kiddie because I only understand some but not all of the vulnerability but I decided to try it anyways and lo-and-behold it worked.

I e-mailed my manager and let him know of the issue and told him about the mitigation strategies mentioned in the bulletin. I was hoping to get some credit and maybe a pat on the back (even though this is a relatively low concern - requires ssh access). Instead I was told that I risked termination and I should tell someone first.

My manager did not realize that I told him it was our dev box that I tried it. Once I pointed that out again he said it didn't matter. This is on a box we are told we can test anything on because we can just roll back to an old snapshot of the machine.

Was I being too brash? Am I a total idiot for trying this? I should point out that I have sudo on every server in our environment... I was not breaking into something I am not authorized to be logged into. Security is supposed to be important at our company. I thought I was doing the right thing by finding a threat we are theoretically exposed to, reporting it, and finding a mitigation strategy.