Matasano Disclosure Ethics

Our Disclosure Practices

Matasano routinely discovers critical flaws in important software. Here’s how we handle them. Some of these statements won’t win us any popularity contests at security conferences. We understand; disclosure is an ethical minefield. These are the choices we’ve made. We encourage other firms to make their choices clear too.

Matasano Does Not Violate Client Commitments

Clients choose to trust third parties. They can also choose not to. Which leaves vulnerabilities undiscovered, unfixed, and exploitable. Nobody benefits from that. Matasano works under NDA with its clients, and they set the terms on which our work is published.

Matasano Does Not Publish Details Without Vendor Patches

Sometimes advisories should be published, with or without a patch, so that customers can enact workarounds. But that’s never our call to make. When Matasano finds a vulnerability, we secure viable vendor-supplied patches prior to disclosing it.

Matasano Does Not Sell “Secret” Vulnerabilities

Secret commercial markets for vulnerabilities suppress disclosure. They prevent vendors from finding and fixing flaws. They circulate and attach premiums to secret, high-risk vulnerabilities in popular products. That’s dangerous. Matasano discloses vulnerabilities directly, or through the vendors themselves.

Matasano Does Not Publish Exploit Code

Patch cycles delay defenses for months. Many enterprises believe systems behind perimeter firewalls don’t need to be patched at all. That gives exploit code a half life of months, or even years, where it can be used to steal our Dad’s credit card number.

Matasano Promotes Disclosure

Having said all that: Matasano publishes vulnerabilities. We think it’s the right thing to do. We think full disclosure has done more to mitigate risk than any other force short of Internet firewalls. We encourage vendors to publish, so their customers can fix. We publish as soon as circumstances allow. We are evangelists for disclosure. It’s the right thing for our clients, and the right thing for the industry.

Who We Are

Since 1994, Matasano researchers have had founding roles in the first security research labs, discovered new classes of vulnerabilities, secured operating systems, and shipped large software projects. We’ve been behind some of the first breaks in SAN technology, virtualization, and financial protocols. Our work has been featured in Network World, eWeek, Forbes, Macworld, Wired, and the Washington Post, and at conferences ranging from Black Hat to Gartner.