Furthermore, even when you can find the vendor, not all vendors have established processes for receiving vulnerability reports. Again, potential reasons abound:
- They haven't thought about it, even though they should have.
- They don't realize they need it, even though they do.
- They think their software process is already good enough, even if it's not.
- They assume anyone reporting a problem is an evil hacker, even though they're wrong.
The U.S. Federal Trade Commission has brought legal action against vendors for not having sufficient vulnerability response capabilities. In their complaint against ASUS \[106\], they cite
the company's failure to _maintain an adequate process for receiving and addressing security vulnerability_ _reports from third parties such as security researchers and academics;_ _…_ _perform sufficient analysis of reported vulnerabilities in order to correct or_ _mitigate all reasonably detectable instances of a reported vulnerability, such as_ _those elsewhere in the software or in future releases; and_ _… provide adequate notice to consumers regarding (i) known vulnerabilities or_ _security risks, (ii) steps that consumers could take to mitigate such vulnerabilities_ _or risks, and (iii) the availability of software updates that would correct or_ _mitigate the vulnerabilities or risks._
Similar complaints have been included in FTC filings against HTC America \[107\] and Fandango \[108\].
Overview
Content Tools
CMU/SEI-2017-SR-022
| SOFTWARE ENGINEERING INSTITUTE | CARNEGIE MELLON UNIVERSITY
Distribution Statement A: Approved for Public Release; Distribution is Unlimited