Page History
Anchor
- They haven't thought about it, even though they should have.
- They don't realize they need it, even though they do.
- They think their software process is already good enough, even if it's not.
- They assume anyone reporting a problem is an evil hacker, even though they're wrong.
...
The U.S. Federal Trade Commission has brought legal action against vendors for not having sufficient vulnerability response capabilities. In their complaint against ASUS \[106\], they cite
the
...
company's
...
failure
...
to
...
_maintain
...
an
...
adequate
...
process
...
for
...
receiving
...
and
...
addressing
...
security
...
vulnerability_
...
_reports
...
from
...
third
...
parties
...
such
...
as
...
security
...
researchers
...
and
...
academics;_
...
_
...
…_
...
_perform
...
sufficient
...
analysis
...
of
...
reported
...
vulnerabilities
...
in
...
order
...
to
...
correct
...
or_
...
_mitigate
...
all
...
reasonably
...
detectable
...
instances
...
of
...
a
...
reported
...
vulnerability,
...
such
...
as_
...
_those
...
elsewhere
...
in
...
the
...
software
...
or
...
in
...
future
...
releases;
...
and_
...
_
...
… provide
...
adequate
...
notice
...
to
...
consumers
...
regarding
...
(i)
...
known
...
vulnerabilities
...
or_
...
_security
...
risks,
...
(ii)
...
steps
...
that
...
consumers
...
could
...
take
...
to
...
mitigate
...
such
...
vulnerabilities_
...
_or
...
risks,
...
and
...
(iii)
...
the
...
availability
...
of
...
software
...
updates
...
that
...
would
...
correct
...
or_
...
_mitigate
...
the
...
vulnerabilities
...
or
...
risks._
Similar complaints have been included in FTC filings against HTC America \[107\] and Fandango \[108\].