The cybersecurity industry has a major trust problem. While demanding visibility from customers about their networks, applications and threats, security providers often operate their own businesses behind closed doors. The industry’s embrace of responsible disclosure needs to extend to responsible transparency as well.
After two decades fighting cybercrime, I’m convinced that our industry’s collective failure to improve transparency, despite efforts to encourage standards of conduct, represents a significant barrier to meaningful cybersecurity progress. We can’t have a system where secrecy masquerades as competitive advantage. Responsible transparency isn’t just about vulnerability disclosure, it means sharing information about risks and building processes that help build trust.
It’s time to acknowledge an uncomfortable truth: the current system isn’t working. The path forward requires responsible transparency across our entire industry.
The Opacity Tax
The cyber industry’s habit of opacity carries a hidden cost that customers pay every day. When vendors treat vulnerability information as proprietary intelligence, security teams make critical decisions with incomplete data. When companies obscure their development practices behind trade secret claims, customers can’t properly assess the solutions they’re deploying to protect their most sensitive assets.
This information asymmetry doesn’t just create inefficient markets; it creates unsafe outcomes and silos. Organizations choose vendors based on polished presentations and unvetted claims rather than proven security practices. They discover critical vulnerabilities through exploitation rather than proactive disclosure. They implement solutions without understanding the risk profiles they’re actually accepting.
This isn’t just bad business; it’s ethically indefensible when the stakes include protecting hospitals, schools and other critical infrastructure.
Beyond Compliance Theater
Regulatory compliance should be the floor for disclosure not the ceiling. Companies can publish the minimum required disclosures, respond to vulnerability reports within prescribed timeframes and check the boxes that auditors demand. But we should be focused on more than satisfying requirements.
This approach requires abandoning the fiction that perfect security exists. Instead of positioning vulnerabilities as failures to be hidden, we must recognize them as inevitable realities to be managed openly. The strongest vendors aren’t those with the fewest disclosed vulnerabilities—they’re those with the most rigorous discovery and disclosure processes.
An Imperfect Scorecard
Our industry’s relationship with the Common Vulnerabilities and Exposures (CVE) system perfectly illustrates our transparency dysfunction. CVE was designed to standardize vulnerability reporting, but it’s evolved into an imperfect and often static scorecard that punishes proactive disclosure and rewards reactive damage control.
The number of CVEs being reported each year has skyrocketed, which has led to concerns about quality and prioritization. Because not all CVEs are created equal, a vulnerability that is unlikely to be taken advantage of isn’t nearly as important as a critical one that has already been exploited.
This discrepancy can greatly impact incident response for critical infrastructure and hamper information sharing between federal agencies.
For example, a recent Oracle E-Business Suite zero-day vulnerability (CVE-2025-61882) was elevated not only by its Common Vulnerability Scoring System (CVSS) rating of 9.8, but by detection showing active exploitation, along with a strong Exploit Prediction Scoring System (EPSS) score. Because the alert combines CVE, in-the-wild activity, and EPSS, responders across sectors can better gauge imminent risk and prioritize patches and mitigation. Without such transparency from organizations, agencies or critical infrastructure operators might only see the CVE score and delay action until it’s too late.
It is also critical for organizations to differentiate between total, open, and active attack surfaces. Many CVEs may exist across systems, but only some are open to attacks and only a subset are under active exploitation. Effective threat intelligence and incident response depend on identifying active risk. When vendors or agencies withhold this critical context – such as whether a vulnerability is actively being exploited – they hamper cross-domain sharing, such as between the Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), and the private sector. In practice, this opacity slows coordinated defense and degrades the collective ability to anticipate and respond to fast-moving attacks.
Even more problematic is how we’ve historically relied on static scoring systems like CVSS that treat vulnerabilities as fixed threats, ignoring how risk evolves in the real world. While CVSS serves a useful purpose, other alternatives are also being adopted, like the Exploit Prediction Scoring System (EPSS), which we helped launch with FIRST.org, to provide risk assessments that change as threat landscapes shift.
We need frameworks that reward proactive vulnerability discovery and communication, comprehensive disclosure practices, and customer-focused remediation guidance. Quality must triumph over quantity, and transparency must be recognized as a strength rather than a liability. That’s how we begin to foster greater trust throughout the industry.
The Moral Imperative
The case for responsible transparency extends far beyond business metrics or competitive positioning. Customers rely on cyber vendors to protect their businesses, their employees, and their communities from sophisticated adversaries who exploit every weakness they can find.
Every undisclosed vulnerability, every obscured security practice, every claim that can’t be independently verified represents a potential advantage for those seeking to cause harm.
We have an obligation to be better. Our industry’s commitment to protecting others must start with complete honesty about our own capabilities and limitations. We cannot ask customers to trust us with their most critical assets without demonstrating why that trust is warranted.
A Path Forward
The cybersecurity industry’s evolution toward greater transparency won’t happen automatically; it requires intentional leadership and collective action. We need frameworks that support vendor transparency, industry standards that reward comprehensive disclosure practices and customer recognition of vendors who embrace openness.
To accelerate this transformation, Fortinet has provided support for the launch of the Initiative for Trust & Transparency in Cybersecurity (ITTC), a new effort dedicated to educating, sponsoring research and advocating for adherence to industry best practices that help increase transparency. The ITTC is eager to work with other vendors, researchers and cyber leaders who share these concerns and support industry transparency efforts.
The vendors who embrace responsible transparency today will build the customer relationships and market positions that define industry leadership tomorrow. By choosing openness over secrecy and customer service over self-interest, we can build the cybersecurity industry our society deserves.
