The Cyber5 Podcast

Legal Ramifications of Vulnerability Disclosure with Paul Hastings Partner Aaron Charfoos

Episode 20 of the podcast covers a discussion on business and legal implications around vulnerability disclosure with Aaron Charfoos, Partner at Paul Hastings.


  • (01:23) Question 1: How would you advise clients/companies to react to security researchers with knowledge of a vulnerability when they contact the organization? Should companies treat this as incident response?
  • (03:39) Question 2: What kind of business and legal issues do those disclosures pose? How should companies weigh out the risks?
  • (06:17) Question 3: How should security researchers think about approaching companies with vulnerability disclosures?
  • (10:40) Question 4: With regard to disclosure, what should organizations say and not say and to whom? Can those disclosures be coordinated with the white hats who bring the CVEs over to them? What’s the best way to get ahead of the media’s desire to shine light on these issues as news items?
  • (14:09) Question 5: Are there any helpful case studies to delve into for our listeners – ie – where in your practice have you seen this work out well for clients and not so well?

Episode 20 | August 20, 2020

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks