Should Manufacturers Disclose Vulnerabilities They Find And Fix?

If a manufacturer finds a vulnerability in their software, either through internal processes, or through external penetration tests done by hired firms, should they make users aware of the vulnerability? If yes, should they disclose it immediately upon discovery, or only after updated software is available?

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

*******, * *** ** ** *** **** ** **** *******, yada **** ****. **** *** ******. *******, *** **** ******** through *********** ***** ** **** ** *** ******, ************ *** dealers ***** **** ** ** **** ** *** ****.

** ** ***** (******* * ******** ********* **** **** ***** this ****): ********* ********** ** ************, *** ****** **** ****** dealers, *** *** **** ****** ** ****** ******** *** *****. Allow *** ******** ***** ******* **** *** ************* **** * mutual ************* **** **** *** ****** ****** ******, **** *** politely **** **** ******** *********** **** *********** *** ********* ***** fully *********** **** ***** ******** *** ***********.

**** * **** ***** ***** ******* * **** ** *** after *** ******* **** **** ******** ************. **** ** **** to ***** ** ** ** ************ *** **** ********* ** the *****. ****, **** ** *********** *** ******* *********** ***** there ***'* * ******** ***** *** *********** *********.

****** -

**** ***** **** *** ********** ******** ** ****** ****** ***** without ******** ************ * ************* ****** ******* *** ** ****** out.

******,

**** ** **** ** ***** ** ** ** ************ *** take ********* ** *** *****. ****, **** ** *********** *** defense *********** ***** ***** ***'* * ******** ***** *** *********** available.

******* ***** ** ****, ******* * *** *** ******** **** most ******* **** **** ****** ***** *** *******/***** ******** **** obscure ************* ** **** ** ***.

* ***** ****** **** *** ****** **********(*) *** ******** *** vendor *** ***** ** *** ******* ** ** ******** **** the ******, **** *** ****** ******** **** ******** ***** *** chain ** *********/************.

*** **** * **** **** ** ***, **** ***** *** to ** *** **** (****, *** ***% ****, ***** **** actually *** ** ** **** **** *** *** ****** ****** string), **** ** *** ********* **** * **** *********** - but **** ***.

********* *** ********** ****, ****** ********* ** *** **** ******* w/o ******* ****** ******* - **** **** **** **** ** enough ******* *** ********** ******** ****** ******** **. (**** *** here)

** **'* **** ********, *** ** *** **** **** ************ and/or *************** ****** ** ********** ********/******* ** ***** **** ** devices *** **** ******** */* ** *** **********, ** *** can't ******** ****** ******** ***** *** ******* ** *** **** deployed **** *** ******.

** **'* **** ********, *** ** *** **** **** ************ and/or *************** ****** ** ********** ********/******* ** ***** **** ** devices *** **** ******** */* ** *** **********, ** *** can't ******** ****** ******** ***** *** ******* ** *** **** deployed **** *** ******.

**** *** *********** ** ** ***’* *** *** ** ** rw *** **** **** ******* **** ** *** **.* *********?

* ******** ***** **** ** ** **** **** **** ** least.

**, *****, *** *** ** ** **** ****** - * was **.

* ******* ** ***** ***** ******* ** ****, *** ***********?

********** :)

Newest Discussions

Posts Latest
39
less than a minute by Undisclosed #2
2
about 3 hours by Brian Rhodes
1
less than a minute by Undisclosed Integrator #1
6
less than a minute by Undisclosed Integrator #2
4
about 3 hours by Steven Ballard