It’s critical that infosec professionals and consumers understand threats and vulnerabilities, but they are being kept in the dark.
There has been a lot of coverage in the media recently concerning the Pegasus spyware and the zero-click exploits that are starting to emerge. Public disclosure and discussion around these exploits have resulted in both common vulnerabilities and exposures (CVEs) being created and eventual patches from the affected vendors. This latest news adds urgency to a question I’ve been thinking about for a while: What’s the best model to encourage the rapid disclosure of vulnerabilities so parties can mitigate risk faster?