Furthermore, even when you can find the vendor, not all vendors have established processes for receiving vulnerability reports. Again, potential reasons abound:
- They haven't thought about it, even though they should have.
- They don't realize they need it, even though they do.
- They think their software process is already good enough, even if it's not.
- They assume anyone reporting a problem is an evil hacker, even though they're wrong.
The U.S. Federal Trade Commission has brought legal action against vendors for not having sufficient vulnerability response capabilities. In their complaint against ASUS \[106\], they cite the company's failure to
maintain an adequate process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics;…perform sufficient analysis of reported vulnerabilities in order to correct or mitigate all reasonably detectable instances of a reported vulnerability, such as those elsewhere in the software or in future releases; and...provide adequate notice to consumers regarding (i) known vulnerabilities or security risks, (ii) steps that consumers could take to mitigate such vulnerabilities or risks, and (iii) the availability of software updates that would correct or mitigate the vulnerabilities or risks.
Similar complaints have been included in FTC filings against HTC America \[107\] and Fandango \[108\].