...

Products with secure automatic updates provide a good way to get a patch deployed quickly to a wide audience. However, not all users are able or willing to use automatic updates, so it is still important for vendors to draw attention to their fixes. Vendors should strive to implement easy and secure update methods in their products. In situations where this is not possible, the vendor's disclosure plan should be specific about how to spread the word of a new patch as quickly as possible.

Avoid Silent Patches

Many system deployers use vulnerability scanning tools to discover systems on their network that need to have patches applied. In turn, many vulnerability scanning tools depend on public vulnerability databases such as NVD. Furthermore, NVD entries are largely dependent on CVE ID assignments. When vendors issue updates without acquiring CVE IDs for the vulnerabilities they address, the patch can go unnoticed by the vulnerability databases, scanning tools, and deployers. Therefore we strongly recommend that vendors acquire as many vulnerability IDs as necessary to clearly indicate which vulnerabilities are fixed by specific patches.

A related issue arises when vendors fail to increment their product version numbers when issuing a fix for one or more vulnerabilities. This makes it much harder for coordinators, vulnerability database providers, vulnerability scanning tool vendors, and deployers to differentiate systems affected by a vulnerability from those that are not.

Amplify the Message

Sometimes it is necessary to draw more attention to a problem or fix. Critical vulnerabilities, including those that are already being exploited or are highly likely to be exploited, may warrant attracting attention beyond merely publishing a document on the vendor's support site. In such cases, additional measures should be taken to draw attention to the existence of the vulnerability or the availability of its fix.

...