The researchers who discovered the recent iPad/AT&T vulnerability are taking some heat from the FBI. This re-opens the Pandora’s Box of vulnerability disclosure. Questions on this realm include: Should researchers “go public” with security holes they discover? If so, when? As soon as they’re discovered? After they’ve notified the vendor? After the hole is fixed? or never? What repercussions should researchers face if they go public with a vulnerability that leads to a data breach? What repercussions should the vendor face if a vulnerability they introduce leads to a data breach? How accountable can/should we hold vendors for vulnerabilities in their software or service networks? And in this case, why should a security research firm, who depends on the publication of vulnerabilities for publicity and credibility, be taking any heat for waiting to go public until after the security hole was plugged by the vendor? I don’t even know where the line is right now regarding doing the right thing… let alone what color it is — black, white, or grey. Would love to hear YOUR thoughts on this — sound off, please! Related content opinion My Concerns with CyberSecurity Legislation – no teeth, paper audits, and “security” auditors By Ed Adams Jan 06, 2012 3 mins Data and Information Security opinion Sony CISO Reporting to Executive Management. Maybe Cyber Security Czar will follow suit? By Ed Adams Nov 17, 2011 2 mins Data and Information Security opinion Sony appoints CISO in response to PlayStation attacks……but reports to the CIO????? By Ed Adams Oct 28, 2011 2 mins Data and Information Security IT Leadership opinion Q&A with Myself - Thoughts on Sony, DOD, RSA, IMF & Lockheed Martin By Ed Adams Sep 22, 2011 3 mins Data and Information Security IT Leadership Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe