A [recent tweet](https://twitter.com/ExodusIntel/status/491247299054428160) from Exodus Intel (a company based in Austin, Texas) generated quite some noise on the Internet:
Tails ships a lot of software, from the Linuxkernel to a fully functional desktop, including a web browser and a lot of other programs. Tails also adds a bit of custom software on top of this.
Security issues are discovered every month in a few of these programs.Some people report such vulnerabilities, and then they get fixed: This is the power of free and open source software. Others don't disclose them, but run lucrative businesses by weaponizing and selling them instead. This is not new and [comes as no surprise](https://www.eff.org/deeplinks/2012/03/zero-day-exploit-sales-should-be-key-point-cybersecurity-debate).
We were not contacted by Exodus Intel prior to their tweet. In fact, a more irritated version of this text was ready when we finally received an email from them. They informed us that they would provide us with a report within a week. We're told they won't disclose these vulnerabilities publicly before we have corrected it, and Tails users have had a chance to upgrade. We think that this is the right process to responsibly disclose vulnerabilities, and we're really looking forward to read this report.