All right. Good. Thank you very much for that.
I have one last question for both of you. A number of Canadian organizations have responsible disclosure policies that offer financial incentives to what we call “ethical hackers” to refrain from publicly disclosing software security and vulnerabilities they discover in that organization's products or services until a patch is available.
However, a frequent complaint of those who disclose security vulnerabilities under a responsible disclosure scheme is that the organization they disclose to fails to respect the rules of that game. Sometimes, an organization that has been alerted to a security vulnerability in their product or services plays down the significance of that vulnerability, so as to pay a smaller bounty, fails to give due credit to the ethical hackers or demands an unreasonable delay in public disclosure because they're unwilling to put resources into patching the vulnerability.
We all know that puts Canadians at risk. What do you think government should be doing to encourage organizations to implement responsible disclosure policies to prevent this sort of activity from occurring?