Furthermore, even when you can find the vendor, not all vendors have established processes for receiving vulnerability reports. Again, potential reasons abound:

The U.S. Federal Trade Commission has brought legal action against vendors for not having sufficient vulnerability response capabilities. In their complaint against ASUS [1], they cite the company's failure to

maintain an adequate process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics;…perform sufficient analysis of reported vulnerabilities in order to correct or mitigate all reasonably detectable instances of a reported vulnerability, such as those elsewhere in the software or in future releases; and...provide adequate notice to consumers regarding (i) known vulnerabilities or security risks, (ii) steps that consumers could take to mitigate such vulnerabilities or risks, and (iii) the availability of software updates that would correct or mitigate the vulnerabilities or risks.

Similar complaints have been included in FTC filings against HTC America [2] and Fandango [3].

< 6.1 Unable to Find Vendor Contact | 6.3 Somebody Stops Replying >


  1. Federal Trade Commission, "ASUSTeK Computer Inc., In the Matter of," 28 July 2016. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/142-3156/asustek-computer-inc-matter. [Accessed 16 May 2017].
  2. Federal Trade Commission, "HTC America Inc., In the Matter of," 2 July 2013. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/122-3049/htc-america-inc-matter. [Accessed 16 May 2017].
  3. Federal Trade Commission, "Fandango, LLC," 19 August 2014. [Online]. Available: https://www.ftc.gov/enforcement/cases-proceedings/132-3089/fandango-llc. [Accessed 16 May 2017].