Skip to content

Unresponsive Vendor

Sometimes, even when you can find contact informaiont for the vendor, not all vendors have established processes for receiving vulnerability reports. Potential reasons abound:

  • They haven't thought about it, even though they should have.
  • They don't realize they need it, even though they do.
  • They think their software process is already good enough, even if it's not.
  • They assume anyone reporting a problem is an evil hacker, even though they're wrong.

FTC Actions Against Vendors

The U.S. Federal Trade Commission has brought legal action against vendors for not having sufficient vulnerability response capabilities. In their complaint against ASUS, they cite the company's failure to

maintain an adequate process for receiving and addressing security vulnerability reports from third parties such as security researchers and academics;...perform sufficient analysis of reported vulnerabilities in order to correct or mitigate all reasonably detectable instances of a reported vulnerability, such as those elsewhere in the software or in future releases; and...provide adequate notice to consumers regarding (i) known vulnerabilities or security risks, (ii) steps that consumers could take to mitigate such vulnerabilities or risks, and (iii) the availability of software updates that would correct or mitigate the vulnerabilities or risks.

Similar complaints have been included in FTC filings against HTC America and Fandango.

Vendor stops responding

Role(s) affected: Reporter

Phase(s): Reporting, Validation and prioritization, Remediation, Public Awareness

Description:

  1. The reporter and vendor had already been in contact about the vulnerability.
  2. The reporter has repeatedly attempted to communicate with the vendor.
  3. The vendor has been non-responsive for at least two weeks
  4. Either of the following events has occurred:
    1. An already-agreed embargo date has passed, or
    2. No embargo date was set and at least six weeks have elapsed since the vendor's last response.
  • At this point, the CERT/CC would consider the vendor to be non-responsive.
  • Assuming the reporter chooses to continue pursuing the issue at all, their options include:
    • The reporter may publish the report on their own.
      • If so, the reporter should provide a courtesy copy of the report to the vendor with a few days' lead time to give the vendor one last chance to prepare for entering the Public Awareness phase.
    • The reporter may attempt to engage a coordinator
  • See Somebody Stops Replying