Our Policy About Transparency
In an earlier piece I spoke at some length about what it means to be a security company, building solutions that combine some elements of insurance, preventative medicine, and education. Now I’d like to talk a bit about transparency and some more of our guiding principles as a company.
Transparency, in its simplest form, is the idea of pulling back the curtain. Various regulations — enforced by the US SEC or similar bodies — require public companies to disclose information that’s material to investors. But there are countless ways to say what’s required while minimizing its impact (if it’s bad news) or maximizing it (if it’s good). Lawmakers spend a lot of time chasing these loopholes and negotiating with industry about how to make improvements.
In security, the law doesn’t require us to talk about our operations. But we believe it’s imperative to do so for two basic reasons:
1) Our ability to deal with problems correctly is a fundamental indicator of our commitment to security best practices; and
2) Willingness to admit our mistakes and include customers, and the world, in the process of fixing them is a core tenet of peer review.
As I mentioned in the other article, security problems are hugely complex: our products and solutions will never be perfect. We know that the industry will try to hack Blackphone, and we know that lots of people will jockey for position in finding a vulnerability. We are taking strong steps to minimize rookie mistakes, but we cannot — and will never — guarantee the products to be perfect. We *can* guarantee that we’ll do a great job of dealing with problems and advising our customers
I welcome any and all discussion but the immutable constraint is this: we will do testing, we will publish a Transparency Report reflecting an honest view of the results, and we will use this data as evidence of due diligence in support of our objectives of security and privacy.
It doesn’t mean we can share absolutely everything, and it doesn’t mean we’ll release information the instant we receive it. For business or other reasons we may choose to hang onto certain things until after we’ve implemented fixes, but our Chief Security Officer’s team will be responsible for managing this line of communication and keeping the world informed of whatever we can share.
We also understand that the information we do release will make it impossible for some customers to buy our products. That’s better than the alternative — where they buy the products but later feel disappointed or betrayed — because we hope they will, at a minimum, recognize we enabled them to make that decision with knowledge instead of uncertainty.
