Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer

Author: John Honovich, Published on Mar 30, 2018

Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best protected and updated against exploits.

But who should disclose this? Cybersecurity researcher, Bashis, who has found vulnerabilities in numerous video surveillance products, recently asked this. We gathered 150+ integrator responses to see what they believe is the right answer.

A clear theme emerged: Integrators overwhelmingly believe manufacturers are responsible for announcing but almost equally are worried that manufacturers will avoid that responsibility.

Inside we examine the results and share detailed integrator feedback.

******* ****** *** *********** *********** ** *************** ** ********* *** integrators *** *** ***** ** ****** **** ***** ******* *** best ********* *** ******* ******* ********.

*** *** ****** ******** ****? ************* **********, ******, *** *** found *************** ** ******** ***** ************ ********, ******** ***** ****. We ******** ***+ ********** ********* ** *** **** **** ******* is *** ***** ******.

* ***** ***** *******: *********** ************** ******* ************* *** *********** for ********** *** ****** ******* *** ******* **** ************* **** avoid **** **************.

****** ** ******* *** ******* *** ***** ******** ********** ********.

[***************]

Exec ******* - *****

*********** **** ******* ***** ******* ************* **********, *********** ********** *** 'both' **********:

Hiding ** *************

**** *********** ********* ******** **** ************* *** ********* ** **** or ******* ************* ***********:

"** ***** ** **** ** *** ************* ***, *** **** would **** ***** **** *** ***** ** ******** ***** ********* liability."
"*** ****** **** ******* ** ** **** *** ************ ** they **** ****** ********* ***** ************ ***** **** *** **** it ** ***** ******."
"***** ************* *** ********, **** ** *** ******* **** ******* and *** **** ** **** ** *********."
"************* ****** ** ******* ** ***** ******** ******* ******** **** the ********** ***** ******. ******** ** *** **** *********."
"***** ** ******* **** *********** **** ** **********'* ********** **** I **** ** ***** ** * ******** ****** ** ** issue ****** * **** ** **** *** ************. **** **** you **** ** *** ************ **** *** ***** *** **** it ** *** ****** *** *** **** ** ********* ** the **** ********."
"************** ***** ** ** *** ************, *** ** ******* **** would **** ** ** ***** ***** ***** ****** ** ****** due ** *** ******** ****** **** *************** *** ** *** rest ** *** ******."
"* ******'* ***** *** ************* ** ** *********** ***** *************** discovered ***** ***** ********."
"************* ***'* ** ****** **** ******* *********** ******* **** ** check"

Researchers ********, ** ************ ** ***

******* ** *** ******* ** ************'* ******, *** **** ****** integrator ******** *** **** *** ********** ****** ******** ** ** the ************ ******* ** ** **:

"*** ************ ****** *** ************ ***** ** ******** **, **** the ********** *** ***** **!"
"** *** ************ *****'* ******* *** **** **** *** ***** then *** ********** ****** **** ******* **** ***** *** *****."
"************ ****** ** **, *** ** **** *** “********* **********” then ** ***** ** *** ********** ** **** *** ************ to *** ******."
"** *** ************ **** *** ******** ***** ** *** **** found, **** *** ********** ****** ***** * ************ ** ******** and ***** * ***** ****** ** **** **** *** ********."
"*** **** ** ** *** ************, *******, ** ** **** known **** **** ***'* ****** ******** *** ************* ***** **** have ******* **. ********* ** **** **** **** ** *** researcher ** ****** **** ****** ******* ** ** * ***** like **** *** ***** ** **** ** ****."
"*** ****** *** ***** ** ****** ******* *** ***** ** the ******* *** (********* ** *** ****** ** *** *************) give **** ** *********** **** ** ******* *** *******, **** if ** ****** *****, *** ****** *** ***** ** ****** make ******."
"** * ******* *****: *** ************. ******* *** *** * perfect *****, ** * ************* ** ********** *** *** ************ will *** ***** *** ** *** ** **** ** *-* months *** ********** *** ***** ** ****** ******** **."
"** ****** ** *** ************* ********** ** ****** ***** ******* and *** ******** ** * ****** ******. ** **** ************ is *** ****, **** * ******* **** *** ********** *** an ************** ** ******* ***** ******** *** **** **** ***** to *** ******."
"*** ************ *** * ************** ** ***** *********** ** ******** vunerabilities **** *** ****** ***** ****** ********. ** **** ** not ******* ** ** *****, ** ****** ** **** ******."
"*** *** ****** **** ** ******** *** *********** ** ******* the ***** *** ************ ** *** **** ****. ** *** repair *** *** ***** *****, *** ********** ****** ******** *** finding."
"********** ****** ****** *** ************ *** ** ************ **** *** make ** ***** ** ****** *** ***** *********** **** ********** need ** *** **** ** ****** **** *****."
"** *** ************ ******* **** *** **** *** ******* ****** and ******* ** ******* ** *****'* *****, **** ** ** perfectly ********** *** *** ********** ** ***** ***** **** ************** they **** ***** *** *****, ******** ********* *** *** *********, or *** ********* **** ***** ** *** *********** **** **** will *** ********* **** **************/****** *** ***** ******."

Both ********

**** *********** ********* **** '****' ** '***' ****** ******** *** disclose ** ******** *** *********** **** ***** ****** *** ***** out ** *********** *** *****:

"****** ****, ** **** *** ******** ****** **** ****** **** a ***** ******* *** ******** *** ******** ****** ******* *** loudly."
"****. ** ********* ***** **** ** **** *** ********** **** went *****"
"****. ****** ************* ** ********** ********* *** *************, *** *** manufacturer ******** *** ** ******* ***** *******."
"**** *** *********** *******. ** *** **** ** * *************** to * ******* ** ***** ** ** *** **** ******** of ********* *** *** *** ******* ** ** **** ***** immediately ** *****-******** ******. ********** ****** ****** *** ************ *** if ************ **** *** **** ** ***** ** ****** *** issue *********** **** ********** **** ** *** **** ** ****** area *****."
"****. *** *********** ****** ******* *** ************ **** * **** date ****** **** **** ** *** *** ************* *** **** announce *** ******** **** ** ****** **. **** *** ********** will *** ** ********, *** *********** **** ****."
"* ***** ****. *** ********** ****** ******* ** ** *** public *** *** ************ *** *** ****** ************** ** ********** their ******* *************** *** ******* ** *** *** ******."
"****. *** *** ********** ****** ** *******, ** *** ************'* inherent ******** ** ******** ***** **** ****** ** ********* (** non) **********."
"****. ** ***** ** * ****** ********. ************* ***'* ** relied **** ******* *********** ******* **** ** *****, *** ***** researches **** ********** * ************* ** **** * **** *** themselves."

Burden *** ***********

***** ** ** ************** *** *********** ***** **** *********** ** announce / ********, **** *********** *** *********** ** *************, *** marketing ** ****** *********. ****, **** *** ***** **** *** no ************, ** ** *** ** ****** *** **** ********* for **** ** ********** **** ***********.

Marketing ******** *** ************* *********

** *** ***** ****, ************* ********* *** ******** **** *********** can ** ***** ********* *** **** (*.*.,*****'* *** ** ******** ********** ************ *************,****** / ********* ************* *******). **** **** ********** ************* ** ********* ***** **** ********** issues *** **** **** ******* **** ****** ***** ******* ** get ***** ********* ******** ********. **** *** ** ****** ** both *** ************* *** **** *** *************** *** * ******* for *********** *** **** **** ** **** **** *** ************ of *** *********** ****** ** *** ** ********.

Challenging ********* *** ***

**********, *** ********* ** * *********** *** **** (*) **** manufacturers ********* ** ******* ** **** ********, (*) *********** ******** to ****** ****** ********* *** (*) ************* ********* ******* *** vulnerabilities ** ****** ***** *** *********.

Comments (11)

Jonathan Lewit

03/30/18 05:10pm

******* ************ ** *** ******** ******* ********* ********. **** ******* a **** *** *****, *****'* *********** **** ****** *** ********** it. **** ******* **** *** **** ** ********** ****** ****** remedies *** ** *** ** *****? ** **** ******** **** risk ** *********** ********** **** ********* *** **** **** *********?

****** **** *** *********** ****, * ** * *** ******** of *** ************ ******** ** *** ****** *** ****. *** critical **** ** ** ***** ***** **** ******** ******** *** customers. ***** ******** ** * ******* ***** **** ******** *** parties ** **** ********. ** ****** ****** *** ******** ********** of *** *****, *** ****** ****** **** ****** *******.

bashis mcw

In reply to Jonathan Lewit | 03/30/18 06:00pm

******** ******* ********* ********

***** **** * **** ****, *** **** ***** ** ******.

**** ******* * **** *** *****, *****'* *********** **** ****** was ********** **. **** ******* **** *** **** ** ********** before ****** ******** *** ** *** ** *****? ** **** creating **** **** ** *********** ********** **** ********* *** **** gone *********?

* ***'* ** ****, *** ** ***** ** ** *** already **** ********* ** *** *** ** *******.

**** * ** ****** (**** **** *** **********) *** *** things * **** ***** ***** *********** (*** ***** **), *** been ***** *** ***** ** **** ******/************* *** **** *********** itself, * ** *** ** ***** **** * ***** *'* the ***** *** *** **** +* ** **** +** ***** backdoor ***/** ***************.

* *** ** *** ***** *** *** ******** ********, *** that ** ********* *****.

Jonathan Lewit

In reply to bashis mcw | 03/30/18 06:29pm

* ***** ***** **** *** ******** *** ******** ******* *********. Indeed * **** **** ******* *********** ****** ************* ******** *********, where **** ** ***** ****** ** * *********.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

bashis mcw

In reply to Jonathan Lewit | 03/30/18 07:43pm

******** *** ******** ******* *********

* **** **** **** ********* ******** ** **** ** '******** through *********', *** ***** **** * ********* ********* ******** * ask ****** '**** *** *** ****** ** **** **** ** so ********* **** *** **** ** ******* *** ********?"

* ***'* *** *** ***** ** ******* ********, ****** ** is ****** **** ***** ** ********** ***** ******** ** ******** to ***** ****** **** *********** ***** *** ******.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

***** ** ******* ***** **** ***, *** ***** **** ** know **** **** '*****' *** '*************' *** ****?

Rodney Thayer

In reply to bashis mcw | 04/02/18 02:17pm

* ***** ********** ** * ********* ** ******* *********** *********** or ******** **** ** ********* **********.

********** ** ******* **** **** *** ****** ************* ******* *** can't **** *** ****** ****** *** **** ** *** *******.

* **** ***** * ****** ******** ****** ***** ** ******* access ** **** ******* ******* ********* *** ********.

*.*. ******* **** ******* ******* **** ** ******* ****** ***** relate ** **** ***..

Undisclosed #1

03/30/18 05:21pm

***** ****** ** * ****** *** *** *********** **** ******* or *** **** **** *** ********** ** ******* **** ***** to ** **** ** ********* **** * ******* *******. **** of ** ****** ***** ****** *** **** ** ** ****** adopt *** ****. ********* **** ** *** **** *** ********* in **** *** ************** ********* *** ****** **** *** ****** of *** ****** * ******** ** * ******* ********. ***** of *** ******** ******** ***, ** ******* ****** *** **** complex **** ********, ** *** ** **** *** ******** ******* does ** ** ** ********* ******** *** **** **.

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

John Honovich

IPVM | In reply to Undisclosed #1 | 03/30/18 05:23pm

***** ****** ** * ****** *** *** *********** ****

* ***** ***** ****** ** *** *** ****** **** **? The ***** **** ********** *** *** *************, *** ** *** results ***** ****, *********** *** ********** ********* **** ** *** manufacturer ******* *** **********, **** **** *** **** ** *** vulnerability *** ***** ********* ** ***.

bashis mcw

In reply to John Honovich | 03/30/18 05:51pm

****, **** *** *** ******* ***** **** ** *** (*** Disclosure *********), ***** ****** ** ** ******* ******** **** "***** and/or ********* **** *****" **** ********** *************** *** ****** **** manufacture.

*'* ***% ******* ** **** *** ***, ** **** ****** you *** *** *********** *******.

*******, *** *** ******** * ******** **** **** ***, ** need ** ***** ** ** **** *** ** **** ***** naturally **** *** **** *** **.

bashis mcw

In reply to Undisclosed #1 | 03/30/18 06:23pm

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

** **** ** ********* ** ** *******, ** ** **** help ***** *********** ** ****** *** **** *****, ***/*** *** have ******* ********** ** ***** ***** *******... ***.

***, ** ****** ** **** **** ********** **** ** **** devices *********** **** **** / *******, ** **** ************* *********, but * ********* ***** **** ********** ** *** **** ****** in *******.

Undisclosed #1

In reply to bashis mcw | 04/02/18 01:35am

***** *** ****** ***. ********** *** **** ******. * ****** viewed **** *** ******* *** ********* *** ****, ******* *** internal *********** ********* ** *** ************** *** ******** **** ******* reaction ** ***** *** ********.

********** ******, ******* * **** ****** ****** ****, ****, **** reduced ** * ****** *******. **** ** ** ********* ******* to ******* *** ********* ******* ** *** ********.

*****, ***** *** ******. * **** *** *** *** ******** store ****** ******* **** **** ***** ***** ********** ** ******** with *****.

Michael Glasser

04/01/18 09:46am

*** ***** **********, **** ** **** *********** ** **** *****. No *********** *******.

"***/*** *****:**** ***** ********** *** *** ********** ** ********* *************** in ******** *** ****** ********. ** ******* *** ******* * vendor ****** *** ** ******* ****** ******* ** ************* **********. ISO/IEC *****:****"

********* - ******* ******

Login to read this IPVM report.

Why do I need to log in?

IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Imperial Capital Security Investor Conference is an event matching industry executives with financiers that frequently leads to future funding...

Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018

Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...

Top 2019 Trend - AI Video Analytics on Dec 10, 2018

160+ Integrators answered: What do you think the top industry trend will be in 2019? Why? AI / video analytics was the run-away winner with...

AV Tech Company Profile on Dec 07, 2018

Taiwanese manufacturer AV Tech's revenue declined ~70% since 2012. Planning a comeback, AV Tech spoke to IPVM about their opportunities and...

ADT Wins Fire Death Suit But Faces Appeal on Dec 05, 2018

ADT/Protection 1 has won a wrongful death court case in which it was sued by the estate of a deceased customer. However, the attorney for the...

Fullerton Returns, Joins OpenEye on Dec 04, 2018

Eric Fullerton became one of the most famous people in the industry as the Chief Sales and Marketing Officer of Milestone as Milestone became the...

SS&Si Claims To Be "The New Face of Security Distribution" on Dec 03, 2018

Can 27-year-old Jake Voll disrupt the security distribution giants? He has positioned his company SS&Si as the 'NEW FACE' of...

Longse USA Profile on Nov 30, 2018

In September 2017, Longse bought and opened their USA office. As one of the largest South China surveillance manufacturers, they have previously...

ADT Promotes DIFY - "Do It For You" on Nov 30, 2018

"Do It Yourself" (DIY) is a popular expression and has become such a common word that it has even made the Cambridge English dictionary. But why...

Strong Outlook For 2019 on Nov 29, 2018

Integrators are bullish for 2019, with nearly 80% showing a positive outlook in our integrator results from 160+ respondents: This is almost...

Most Recent Industry Reports

Imperial Capital Security Investor Conference 2018 Review - ADT, Resideo, Alarm.com, Arlo, Eagle Eye, ACRE, More on Dec 14, 2018

Imperial Capital Security Investor Conference is an event matching industry executives with financiers that frequently leads to future funding...

Cisco Meraki New Cameras and AI Analytics on Dec 14, 2018

Meraki has released their second generation of video surveillance with 3 new cameras, AI-based video analytics, and 2 cloud-based storage...

Foolish Strategy: OEMing Facial Recognition on Dec 13, 2018

Almost as 'hot' as face recognition marketing right now is OEMing facial recognition. Last year, they were a who's who of company's with...

DVR Examiner - Video Recovery from Recorder Hard Drives on Dec 13, 2018

Bypassing passwords and long download times on-site, DVR Examiner collects and organizes video evidence directly from a hard drive extracted from...

2019 Access Control Book Released on Dec 12, 2018

This is the best, most comprehensive access control book in the world, based on our unprecedented research and testing has been significantly...

Huawei Hisilicon Quietly Powering Tens of Millions of Western IoT Devices on Dec 12, 2018

Huawei Hisilicon chips are powering, at least, tens of millions of Western IoT devices, such as IP cameras and surveillance recorders, a fact that...

FLIR Launches Body Cameras Unified With VMS (TruWitness) on Dec 11, 2018

While FLIR is best known for their thermal cameras, now they have expanded into body cameras, launching TruWITNESS, a public safety focused body...

Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018

Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...

The 2019 Video Surveillance Industry Guide on Dec 10, 2018

The 300 page, 2019 Video Surveillance Industry Guide, covers the key events and the future of the video surveillance market, is now available,...

Multi-Factor Access Control Authentication Guide on Dec 10, 2018

Can a stranger use your credentials? One of the oldest problems facing access control is making credentials as easy to use as keys, but restricting...

Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer

Comments (11)

Jonathan Lewit

bashis mcw

Jonathan Lewit

bashis mcw

Rodney Thayer

Undisclosed #1

John Honovich

bashis mcw

bashis mcw

Undisclosed #1

Michael Glasser

Login to read this IPVM report.

Related Reports

Most Recent Industry Reports

Member Login