It‘s no surprise that companies like Microsoft are in no hurry to divulge findings about state-run malware, at least not if it involves governments it has large contracts with. But security researchers shouldn‘t be acting as flacks for intelligence agencies, even if only committing sins of omission. As the ACLU‘s chief technologist pointed out, there‘s no faster way to „destroy“ your company‘s reputation as a „provider of trustworthy security consulting services.“ Who‘s going to want to hire someone that won‘t tell you your data and communications are compromised until it feels it‘s „safe“ to do so?