[tptacek]

Yeah, it's an idiosyncrasy of vulnerability research and "zero day" status. Things will get discussed with the media in advance of the conference, but if you blog your whole talk before the review board sees the submission, that'll get used to shoot down accepting. Which sort of makes sense, because even if it's good, your submission will be competing with 5 more really good talks on the same track.

I'm a longtime reviewer for Black Hat, and I've reviewed (shadow) for ACM and (publicly) for Usenix (I was a PC for WOOT a few years ago). It's a different vibe. Nobody's WOOT submission got dinged for having been disclosed in advance, but Black Hat submissions will get dinged for having been presented at regional conferences prior to BH.

Again though: the single easiest way to make sure a talk has no chance at BH is to make it vendor-y. Reviewers will LinkedIn-stalk the names on the presentation to make sure nobody's connected to marketing or sales. If you're submitting something that's even tangential to your product (smart toaster firewalls), even if it's good research (elite-level zero-day vulnerabilities in smart toasters), you have to go way out of your way to assure reviewers you won't pitch on stage.

Black Hat is pretty sensitive to making sure the talks themselves aren't commercial, even though the conference trappings are extremely commercial. "This would make a better RSA talk" is an extremely common epithet.