The security community is full of incredibly smart and inquisitive people doing amazing research to keep us safe. Pretty much daily, we see disclosure of important vulnerabilities, from firewalls to application and AI frameworks. They draw news coverage in the community and collaborative efforts with other researchers building on what comes before, but they fly below the radar of much of the public.

But every now and then, we get research on a flaw that grabs public attention in a big way because of its accessibility to everyone to understand and internalize the potential – and even personal – impact. Such was the case in March with the Unsaflok research. A team of researchers publicly disclosed flaws that they discovered back in 2022 at a private hacking event. In a Vegas hotel room, their discovery would allow them to almost instantly open any one of 3 million hotel doors worldwide, inside 13,000 properties in 131 countries. Understandably, the news went viral in every manner of consumer and business news outlet, some with more sensational headlines.

It’s on this point that we identified a chance to explore beyond the headlines and research, showcasing the crucial work of professional security researchers and their processes. Specifically, we highlight a case where it took two years for their findings to be published, ensuring the public's safety was prioritized. So we decided to ask Bishop Fox Senior Analyst Justin Rhinehart, who himself was involved in the Unsaflok research. We asked Justin to distill for us and the broader public how this type of “marquee” research comes to market in an ethical and responsible way – from inspiration and hacking process, to the decision tree of what gets disclosed and when, and how that’s balanced with the public interest.