Do security units have a moral obligation to publish advisories?

Question

A company I&rsquo;m working for has an internal unit for performing security assessments. I work there as a freelancer and I&rsquo;m finding some serious security vulnerabilities in high-end products. Normally I would disclose vulnerabilities in the form of advisories, but I&rsquo;ve been told that it&rsquo;s company policy not to disclose any information found during internal (security) research.My security/hacking background taught me that the security world progresses by disclosing vulnerabilities after they&rsquo;ve been patched. I&rsquo;ve encountered many cases where businesses would prioritize software updates based on the severity of publicized vulnerabilities. I&rsquo;ve tried communicating that an advisory does not bear a company name, but they hold on to internal policies like a tick on a forehead.The security of modern companies is build on the shared knowledge of security researchers. I&rsquo;m physically appalled by the though that I&rsquo;m helping a company exercise leach-like behavior, in which knowledge is only taken but none is shared. I would like to know how common this practice is, and what you consider to be an appropriate level of aggression against it, if any.

greenyoda · Accepted Answer

I'm guessing that the company you're working for has concerns about the possible legal liability of doing security research on software that they don't own. For example, even if it is permitted under law, disclosing the vulnerability might violate the license under which the software is provided for their use. Since you're apparently not a lawyer, you're not really in a position to question the wisdom of these policies, and as long as you're working for this company, you have an obligation to protect their interests. If the company was sued by the software owner, you could be personally liable if you ignored explicit instructions to not disclose vulnerabilities.