Published 4 May 2021 Today, the disclosure process for software vulnerabilities is fraught with challenges. Cybersecurity researchers and software security analysts are faced with an ethics versus efficacy dilemma when it comes to reporting or sharing discovered bugs. Revealing a vulnerability publicly may get the attention of the program’s developers and motivate a timely response, but it could also result in a lawsuit against the researcher. Researchers develop capability to mathematically prove exploitability of vulnerable software without revealing critical information. Today, the disclosure process for software vulnerabilities is fraught with challenges. Cybersecurity researchers and software security analysts are faced with an ethics versus efficacy dilemma when it comes to reporting or sharing discovered bugs. Revealing a vulnerability publicly may get the attention of the program’s developers and motivate a timely response, but it could also result in a lawsuit against the researcher. Further, public disclosure could enable bad actors to exploit the discovery before a patch or fix can be applied. Sharing the vulnerability directly with the software maker on the other hand is ethically sound, but may not necessarily prompt action. As history has shown, software makers are often reluctant or unwilling to engage with outside security teams and the disclosed vulnerabilities are frequently ignored, or corrective action is dangerously delayed.