When news of the Android master-key vulnerability began leaking out in early July, details were hard to come by, and that was done intentionally. The researchers at Bluebox Security, a mobile-security start-up, had discovered the vulnerability and were planning to disclose the details of the bug in a presentation at the Black Hat USA 2013 conference. They were in the process of working with Google and some of the mobile carriers to ensure that users would be protected against the bug before the full details hit the street. They didn’t get that chance, however, because someone found a pending Android patch online and was able to reverse-engineer it to figure out the vulnerability. In the video below, Jeff Forristal, Bluebox CTO, discusses the process and where it’s left users.