What can the Citrix bug teach us about patch management and disclosure protocols?

Oliver Pinson-Roxburgh, co-founder of Bulletproof, explains what lessons should be drawn from how CVE-2019-19781's story unfolded earlier this year, and makes recommendations on how organisations reduce the risks they are exposed to.

The Citrix bug (CVE-2019-19781) was discovered in mid-December by researchers and, even though the vendor promptly released a patch, it gave criminals access to victims’ local networks, allowing them to run code via directory traversal.