Anyone who has ever traveled knows that bedbugs are the kiss of death for a hotel, and possibly the franchise, as no one likes to get bit. BlackBerry is hoping the analogy doesn\u2019t transfer to the bugs found in its QNX embedded operating system. The company opted to quietly handle the vulnerability with its partners, apparently hoping the public wouldn\u2019t get a whiff of the bad news.It is hard to believe that BlackBerry\u2019s legal, PR, and marketing teams would choose this approach given the millions of consumers in the vehicle, medical, infrastructure world who might be bitten. Putting security of one\u2019s customers behind one\u2019s public face is wrong, and frankly, it stinks to high heaven.Let\u2019s dig in.The BadAlloc vulnerabilityIn late April 2021, Microsoft researchers revealed the BadAlloc bug was affecting a wide range of IoT devices and vendors. Microsoft characterized the vulnerability as potentially allowing an attacker to perform a denial of service or execute arbitrary code. Many vendors took the advisory on board and by May 2021 were mitigating and messaging how the vulnerability may impact customers and the pathway to remediation.Though BlackBerry\u2019s OS was installed across a multitude of industries, including critical infrastructure, the US federal government, automotive, industrial controls and medical devices, the company seemed to think this gale wind wasn\u2019t going to affect its sails. They remained silent.US pressured BlackBerry to go publicBlackBerry rolled out its advisory on August 17, 2021. That advisory stepped right through the fact that the vulnerability discovered in April was being revealed in August. It did, however, note that if those using the QNX do not mitigate the threat with the provided patches that there \u201care no known workarounds for this vulnerability.\u201dIt isn\u2019t known how much pressure it took to get BlackBerry to reveal that QNX was affected, as suspected in April, by the US Cybersecurity and Infrastructure Security Agency (CISA). Multiple media outlets report that CISA was unrelenting in its efforts to have BlackBerry publicly reveal the vulnerability and not simply inform their partners who were imbedding the OS into products.BlackBerry argued, according to Politico, that it had no visibility into how its customers were using its product. Indeed, the company insisted it keeps \u201clists of our customers and have actively communicated to those customers regarding this issue. Software patching communications occur directly to our customers.\u201dFollowing the release of the BlackBerry advisory, CISA issued its own advisory and duly highlighted the need to mitigate across government agencies and the nation\u2019s critical infrastructure companies, to include those involved with the US Coast Guard and the US Nuclear Regulatory Commission; both entities put out their own advisories to affected entities within their domain.The unpatched vulnerability was not only affecting industrial controls and automotive applications, it was also affecting a plethora of medical devices. The Food and Drug Administration issued its own advisory, again, once BlackBerry had owned up, and emphasized how the vulnerability may \u201cintroduce risk for certain medical devices and drug manufacturing equipment.\u201d What was clear from the FDA advisory is the scope of the exposure caused by BlackBerry\u2019s QNX vulnerability is unknown. The FDA has urged those impacted to contact the FDA at once and identify product equipment and systems that have been deemed vulnerable.Both CISA and the FDA were quick to note there have not been any confirmed adverse events associated with the BlackBerry vulnerability.Did BlackBerry dodge a bullet?Regardless of whether BlackBerry dodged the bullet of having the vulnerability exploited while they sorted their public-facing verbiage, the bottom line is the Canadian company took its time and needed prodding by the US government to do the right thing. They now face a shellacking in the court of public opinion. What remains to be seen is if the FDA will weigh in with fines and other administrative actions given the vulnerability left unpatched or mitigated devices within the healthcare sector.It is unknown if input will be coming from other federal agencies\/departments given BlackBerry\u2019s recent announcement that it was integrating its technologies into vehicles with California\u2019s \u201cCar IQ\u201d where the vehicle will essentially function as an electronic wallet.The take-away for all CISOs is obvious: Manufacturers and consumers both want to know that when a vulnerability is discovered by the companies they trust, that trusted entity will let them know about vulnerabilities in a timely and forthright manner. Once trust is broken it is hard to repair and the adage \u201cone aw-shucks wipes out a hundred atta-boys\u201d applies.