• United States



Chief Executive Officer, Security Innovation

Vulnerability disclosure revisited, and revisited, and revisited, …

Jun 14, 20101 min
Business ContinuityCareersData and Information Security

The researchers who discovered the recent iPad/AT&T vulnerability are taking some heat from the FBI. This re-opens the Pandora’s Box of vulnerability disclosure. Questions on this realm include:

  • Should researchers “go public” with security holes they discover?  If so, when? As soon as they’re discovered? After they’ve notified the vendor? After the hole is fixed? or never?
  • What repercussions should researchers face if they go public with a vulnerability that leads to a data breach?
  • What repercussions should the vendor face if a vulnerability they introduce leads to a data breach?
  • How accountable can/should we hold vendors for vulnerabilities in their software or service networks?
  • And in this case, why should a security research firm, who depends on the publication of vulnerabilities for publicity and credibility, be taking any heat for waiting to go public until after the security hole was plugged by the vendor?

I don’t even know where the line is right now regarding doing the right thing… let alone what color it is — black, white, or grey. Would love to hear YOUR thoughts on this — sound off, please!

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.