Security management vendor Qualys has denied that its innovative Laws of Vulnerability research has been jeopardised by the sudden departure of its key instigator, Gerhard Eschelbeck.

The company has confirmed that no individual had been appointed to directly replicate Eschelbeck’s work on the research, an analysis of real-world vulnerabilities taken from scans of Qualys’s substantial enterprise customer base. The findings for 2005 were announced last November at the Black Hat conference in Las Vegas.

Former company CTO and VP of engineering, Eschelbeck, announced before Christmas that he was leaving the company he'd worked at for five years to take up an identical position at anti-spyware vendor, Webroot. He is considered an authority on the topic of vulnerabilities and patching strategies.

Eschelbeck was also a key figure in the Qualys’s involvement in the Common Vulnerability Scoring System (CVSS) – an evolving standard for assessing security risks - and in compiling the SANS Top 20, an annual measure of security vulnerabilities.

Qualys CEO Philippe Courtot was adamant that personnel would be found from within the company to maintain involvement in the SANS Top 20 - and in CVSS - a standard the company was strongly committed to.

However, he confirmed that the company had not yet appointed anyone to oversee the workload, despite appointing an interim CTO in Eschlbeck’s place. Longer term, the company might look outside Qualys itself for a champion for the Laws analysis.

“One person can’t do it all and so you will see more spokespersons,” Courtot said.

Eschelbeck, meanwhile, has his hands full at Webroot, as it attempts to move from a consumer business model to one orientated towards businesses.