Two Salesforce security team members were let go following their presentation of a new testing platform.
An article review.
Before you join that panel discussion of disgruntled bankers, consider this story that comes to us by way of Joe Cychosz: a pair of Salesforce security team members were let go shortly after their presentation at the Defcon security conference.
The presentation in question concerned a new exploit framework the presenters had designed for penetration testing, and reportedly had the blessing of Salesforce management until shortly before the talk was scheduled–a text message was allegedly sent to the duo warning them not to participate, but the former employees say they were not received until after the presentation.
While the exact reasoning behind management’s change of heart wasn’t known at the time the article was written it appears to be related to the public release of the application’s code and may have been done due to liability concerns. This incident highlights one of the bigger issues in the security research field, namely the responsible disclosure of exploit information and testing tools. While the security community often attempts to practice complete openness this can be at odds with the companies funding their work, and the correct balance between the two remains hotly contested.
Original article by Zack Whittaker writing for ZDNet.