In the past, security researchers have followed an unwritten code that governs the ethical release of newly-discovered IT security vulnerabilities. In recent years, however, a new range of “bug bounties,” vulnerability marketplaces, and even government acquisition of critical flaws has created a broader and more lucrative set of opportunities for researchers to consider. In a world where a new vulnerability can mean big opportunities – and big bucks – for security researchers, what’s the “right” way to disclose new vulnerabilities? What are the best and most appropriate venues for disclosure? What’s the right length of time to wait for a vulnerability to be “fixed” before disclosing it in one of these venues? And should researchers seek disclosure venues and practices that are the most likely to keep users safe – or should they simply sell their discoveries to the highest bidder? In this panel session, top experts on vulnerability research and disclosure will offer a variety of views on how best to disclose a newly-discovered security flaw.