It's interesting, because a point was just made that some of the flaws in devices may not be known to the manufacturers, and obviously not to the public in that case.
When HackerOne was here, there was a bit of discussion about the bug bounties, discovering the bugs and reporting them, but then there are also the concerns about whom they're being reported to, the “highest bidder” phenomenon.
I wonder what all of you have as a perspective on how that should be approached and whether we need more explicit rules about how these vulnerabilities are disclosed, particularly when they're discovered by government organizations—for example, if CSE was aware of serious flaws on devices that we all as Canadians use.