Question from a reader


"Just wondering about your thoughts on Red Teaming and ethics. If you come discover a security hole in a product/platform/service like the iOS "goto fail" bug, do you keep it quiet and use it or report it and exploit it until fixed?"


I believe in public disclosure of vulnerabilities. It keeps the vendors honest and we get better, more secure products. The public disclosure also allows other security researchers, security managers and red teams to check their own systems and apps for the issue that was disclosed and try to fix it or find a temporary workaround, even before the vendor issues a fix.

Having said this, however, if we are in the middle of a project and we find a vulnerability that we can exploit to finish the project successfully, then we will exploit this and then disclose it.