Date: Fri, 29 Mar 2024 05:47:59 -0400 (EDT) Message-ID: <1616558626.5.1711705679292@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_4_630550871.1711705679289" ------=_Part_4_630550871.1711705679289 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Furthermore, even when you can find the vendor, not all vendors = have established processes for receiving vulnerability reports. Again, pote= ntial reasons abound:
The U.S. Federal Trade Commission has brought legal action against vendo= rs for not having sufficient vulnerability response capabilities. In their = complaint against ASUS [1], they cite the company's failure to
maintain an adequate process for receiving and addressing security vulne= rability reports from third parties such as security researchers and academ= ics;=E2=80=A6perform sufficient analysis of reported vulnerabilities in ord= er to correct or mitigate all reasonably detectable instances of a reported= vulnerability, such as those elsewhere in the software or in future releas= es; and...provide adequate notice to consumers regarding (i) known vulnerab= ilities or security risks, (ii) steps that consumers could take to mitigate= such vulnerabilities or risks, and (iii) the availability of software upda= tes that would correct or mitigate the vulnerabilities or risks.
Similar complaints have been included in FTC filings against HTC America= [2] and Fandango [3].