Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


When considering what information to release about a vulnerability, our advice is "Don't tease." Our experience shows that the mere knowledge of a vulnerability's existence in a feature of some product is sufficient for a skillful person to discover it for themselves. Rumor of a vulnerability draws attention from knowledgeable people with vulnerability finding skills—and there's no guarantee that all those people will have users' best interests in mind. Thus, teasing the existence of a vulnerability in a product can sometimes provide an adversarial advantage that increases risk to end users.


< 5.6 Maintaining Pre-Disclosure Secrecy | 6. Troubleshooting CVD >


  1. Black Hat, "Black Hat," [Online]. Available: [Accessed 23 May 2017].
  2. DEF CON, "DEF CON," [Online]. Available: [Accessed 23 May 2017].
  3. USENIX, "USENIX Security Conferences," [Online]. Available: [Accessed 23 May 2017].
  4. RSA, "RSA Conference," [Online]. Available: [Accessed 23 May 2017].
  5. CanSecWest, "CanSecWest Vancouver 2018," [Online]. Available: [Accessed 23 May 2017].