Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer

Author: John Honovich, Published on Mar 30, 2018

Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best protected and updated against exploits.

But who should disclose this? Cybersecurity researcher, Bashis, who has found vulnerabilities in numerous video surveillance products, recently asked this. We gathered 150+ integrator responses to see what they believe is the right answer.

A clear theme emerged: Integrators overwhelmingly believe manufacturers are responsible for announcing but almost equally are worried that manufacturers will avoid that responsibility.

Inside we examine the results and share detailed integrator feedback.

******* ****** *** *********** *********** ** *************** ** ********* *** integrators *** *** ***** ** ****** **** ***** ******* *** best ********* *** ******* ******* ********.

*** *** ****** ******** ****? ************* **********, ******, *** *** found *************** ** ******** ***** ************ ********, ******** ***** ****. We ******** ***+ ********** ********* ** *** **** **** ******* is *** ***** ******.

* ***** ***** *******: *********** ************** ******* ************* *** *********** for ********** *** ****** ******* *** ******* **** ************* **** avoid **** **************.

****** ** ******* *** ******* *** ***** ******** ********** ********.

[***************]

Exec ******* - *****

*********** **** ******* ***** ******* ************* **********, *********** ********** *** 'both' **********:

Hiding ** *************

**** *********** ********* ******** **** ************* *** ********* ** **** or ******* ************* ***********:

  • "** ***** ** **** ** *** ************* ***, *** **** would **** ***** **** *** ***** ** ******** ***** ********* liability."
  • "*** ****** **** ******* ** ** **** *** ************ ** they **** ****** ********* ***** ************ ***** **** *** **** it ** ***** ******."
  • "***** ************* *** ********, **** ** *** ******* **** ******* and *** **** ** **** ** *********."
  • "************* ****** ** ******* ** ***** ******** ******* ******** **** the ********** ***** ******. ******** ** *** **** *********."
  • "***** ** ******* **** *********** **** ** **********'* ********** **** I **** ** ***** ** * ******** ****** ** ** issue ****** * **** ** **** *** ************. **** **** you **** ** *** ************ **** *** ***** *** **** it ** *** ****** *** *** **** ** ********* ** the **** ********."
  • "************** ***** ** ** *** ************, *** ** ******* **** would **** ** ** ***** ***** ***** ****** ** ****** due ** *** ******** ****** **** *************** *** ** *** rest ** *** ******."
  • "* ******'* ***** *** ************* ** ** *********** ***** *************** discovered ***** ***** ********."
  • "************* ***'* ** ****** **** ******* *********** ******* **** ** check"

Researchers ********, ** ************ ** ***

******* ** *** ******* ** ************'* ******, *** **** ****** integrator ******** *** **** *** ********** ****** ******** ** ** the ************ ******* ** ** **:

  • "*** ************ ****** *** ************ ***** ** ******** **, **** the ********** *** ***** **!"
  • "** *** ************ *****'* ******* *** **** **** *** ***** then *** ********** ****** **** ******* **** ***** *** *****."
  • "************ ****** ** **, *** ** **** *** “********* **********” then ** ***** ** *** ********** ** **** *** ************ to *** ******."
  • "** *** ************ **** *** ******** ***** ** *** **** found, **** *** ********** ****** ***** * ************ ** ******** and ***** * ***** ****** ** **** **** *** ********."
  • "*** **** ** ** *** ************, *******, ** ** **** known **** **** ***'* ****** ******** *** ************* ***** **** have ******* **. ********* ** **** **** **** ** *** researcher ** ****** **** ****** ******* ** ** * ***** like **** *** ***** ** **** ** ****."
  • "*** ****** *** ***** ** ****** ******* *** ***** ** the ******* *** (********* ** *** ****** ** *** *************) give **** ** *********** **** ** ******* *** *******, **** if ** ****** *****, *** ****** *** ***** ** ****** make ******."
  • "** * ******* *****: *** ************. ******* *** *** * perfect *****, ** * ************* ** ********** *** *** ************ will *** ***** *** ** *** ** **** ** *-* months *** ********** *** ***** ** ****** ******** **."
  • "** ****** ** *** ************* ********** ** ****** ***** ******* and *** ******** ** * ****** ******. ** **** ************ is *** ****, **** * ******* **** *** ********** *** an ************** ** ******* ***** ******** *** **** **** ***** to *** ******."
  • "*** ************ *** * ************** ** ***** *********** ** ******** vunerabilities **** *** ****** ***** ****** ********. ** **** ** not ******* ** ** *****, ** ****** ** **** ******."
  • "*** *** ****** **** ** ******** *** *********** ** ******* the ***** *** ************ ** *** **** ****. ** *** repair *** *** ***** *****, *** ********** ****** ******** *** finding."
  • "********** ****** ****** *** ************ *** ** ************ **** *** make ** ***** ** ****** *** ***** *********** **** ********** need ** *** **** ** ****** **** *****."
  • "** *** ************ ******* **** *** **** *** ******* ****** and ******* ** ******* ** *****'* *****, **** ** ** perfectly ********** *** *** ********** ** ***** ***** **** ************** they **** ***** *** *****, ******** ********* *** *** *********, or *** ********* **** ***** ** *** *********** **** **** will *** ********* **** **************/****** *** ***** ******."

Both ********

**** *********** ********* **** '****' ** '***' ****** ******** *** disclose ** ******** *** *********** **** ***** ****** *** ***** out ** *********** *** *****:

  • "****** ****, ** **** *** ******** ****** **** ****** **** a ***** ******* *** ******** *** ******** ****** ******* *** loudly."
  • "****. ** ********* ***** **** ** **** *** ********** **** went *****"
  • "****. ****** ************* ** ********** ********* *** *************, *** *** manufacturer ******** *** ** ******* ***** *******."
  • "**** *** *********** *******. ** *** **** ** * *************** to * ******* ** ***** ** ** *** **** ******** of ********* *** *** *** ******* ** ** **** ***** immediately ** *****-******** ******. ********** ****** ****** *** ************ *** if ************ **** *** **** ** ***** ** ****** *** issue *********** **** ********** **** ** *** **** ** ****** area *****."
  • "****. *** *********** ****** ******* *** ************ **** * **** date ****** **** **** ** *** *** ************* *** **** announce *** ******** **** ** ****** **. **** *** ********** will *** ** ********, *** *********** **** ****."
  • "* ***** ****. *** ********** ****** ******* ** ** *** public *** *** ************ *** *** ****** ************** ** ********** their ******* *************** *** ******* ** *** *** ******."
  • "****. *** *** ********** ****** ** *******, ** *** ************'* inherent ******** ** ******** ***** **** ****** ** ********* (** non) **********."
  • "****. ** ***** ** * ****** ********. ************* ***'* ** relied **** ******* *********** ******* **** ** *****, *** ***** researches **** ********** * ************* ** **** * **** *** themselves."

Burden *** ***********

***** ** ** ************** *** *********** ***** **** *********** ** announce / ********, **** *********** *** *********** ** *************, *** marketing ** ****** *********. ****, **** *** ***** **** *** no ************, ** ** *** ** ****** *** **** ********* for **** ** ********** **** ***********.

Marketing ******** *** ************* *********

** *** ***** ****, ************* ********* *** ******** **** *********** can ** ***** ********* *** **** (*.*.,*****'* *** ** ******** ********** ************ *************,****** / ********* ************* *******). **** **** ********** ************* ** ********* ***** **** ********** issues *** **** **** ******* **** ****** ***** ******* ** get ***** ********* ******** ********. **** *** ** ****** ** both *** ************* *** **** *** *************** *** * ******* for *********** *** **** **** ** **** **** *** ************ of *** *********** ****** ** *** ** ********.

Challenging ********* *** ***

**********, *** ********* ** * *********** *** **** (*) **** manufacturers ********* ** ******* ** **** ********, (*) *********** ******** to ****** ****** ********* *** (*) ************* ********* ******* *** vulnerabilities ** ****** ***** *** *********.

Comments (11)

Avatar

Jonathan Lewit

03/30/18 05:10pm

******* ************ ** *** ******** ******* ********* ********. **** ******* a **** *** *****, *****'* *********** **** ****** *** ********** it. **** ******* **** *** **** ** ********** ****** ****** remedies *** ** *** ** *****? ** **** ******** **** risk ** *********** ********** **** ********* *** **** **** *********?

****** **** *** *********** ****, * ** * *** ******** of *** ************ ******** ** *** ****** *** ****. *** critical **** ** ** ***** ***** **** ******** ******** *** customers. ***** ******** ** * ******* ***** **** ******** *** parties ** **** ********. ** ****** ****** *** ******** ********** of *** *****, *** ****** ****** **** ****** *******.

bashis mcw

In reply to Jonathan Lewit | 03/30/18 06:00pm

******** ******* ********* ********

***** **** * **** ****, *** **** ***** ** ******.

**** ******* * **** *** *****, *****'* *********** **** ****** was ********** **. **** ******* **** *** **** ** ********** before ****** ******** *** ** *** ** *****? ** **** creating **** **** ** *********** ********** **** ********* *** **** gone *********?

* ***'* ** ****, *** ** ***** ** ** *** already **** ********* ** *** *** ** *******.

**** * ** ****** (**** **** *** **********) *** *** things * **** ***** ***** *********** (*** ***** **), *** been ***** *** ***** ** **** ******/************* *** **** *********** itself, * ** *** ** ***** **** * ***** *'* the ***** *** *** **** +* ** **** +** ***** backdoor ***/** ***************.

* *** ** *** ***** *** *** ******** ********, *** that ** ********* *****.

Avatar

Jonathan Lewit

In reply to bashis mcw | 03/30/18 06:29pm

* ***** ***** **** *** ******** *** ******** ******* *********. Indeed * **** **** ******* *********** ****** ************* ******** *********, where **** ** ***** ****** ** * *********.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

bashis mcw

In reply to Jonathan Lewit | 03/30/18 07:43pm

******** *** ******** ******* *********

* **** **** **** ********* ******** ** **** ** '******** through *********', *** ***** **** * ********* ********* ******** * ask ****** '**** *** *** ****** ** **** **** ** so ********* **** *** **** ** ******* *** ********?"

* ***'* *** *** ***** ** ******* ********, ****** ** is ****** **** ***** ** ********** ***** ******** ** ******** to ***** ****** **** *********** ***** *** ******.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

***** ** ******* ***** **** ***, *** ***** **** ** know **** **** '*****' *** '*************' *** ****?

Rodney Thayer

In reply to bashis mcw | 04/02/18 02:17pm

* ***** ********** ** * ********* ** ******* *********** *********** or ******** **** ** ********* **********.

********** ** ******* **** **** *** ****** ************* ******* *** can't **** *** ****** ****** *** **** ** *** *******.

* **** ***** * ****** ******** ****** ***** ** ******* access ** **** ******* ******* ********* *** ********.

*.*. ******* **** ******* ******* **** ** ******* ****** ***** relate ** **** ***..

Undisclosed #1

03/30/18 05:21pm

***** ****** ** * ****** *** *** *********** **** ******* or *** **** **** *** ********** ** ******* **** ***** to ** **** ** ********* **** * ******* *******. **** of ** ****** ***** ****** *** **** ** ** ****** adopt *** ****. ********* **** ** *** **** *** ********* in **** *** ************** ********* *** ****** **** *** ****** of *** ****** * ******** ** * ******* ********. ***** of *** ******** ******** ***, ** ******* ****** *** **** complex **** ********, ** *** ** **** *** ******** ******* does ** ** ** ********* ******** *** **** **.

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

John Honovich

IPVM | In reply to Undisclosed #1 | 03/30/18 05:23pm

***** ****** ** * ****** *** *** *********** ****

* ***** ***** ****** ** *** *** ****** **** **? The ***** **** ********** *** *** *************, *** ** *** results ***** ****, *********** *** ********** ********* **** ** *** manufacturer ******* *** **********, **** **** *** **** ** *** vulnerability *** ***** ********* ** ***.

bashis mcw

In reply to John Honovich | 03/30/18 05:51pm

****, **** *** *** ******* ***** **** ** *** (*** Disclosure *********), ***** ****** ** ** ******* ******** **** "***** and/or ********* **** *****" **** ********** *************** *** ****** **** manufacture.

*'* ***% ******* ** **** *** ***, ** **** ****** you *** *** *********** *******.

*******, *** *** ******** * ******** **** **** ***, ** need ** ***** ** ** **** *** ** **** ***** naturally **** *** **** *** **.

bashis mcw

In reply to Undisclosed #1 | 03/30/18 06:23pm

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

** **** ** ********* ** ** *******, ** ** **** help ***** *********** ** ****** *** **** *****, ***/*** *** have ******* ********** ** ***** ***** *******... ***.

***, ** ****** ** **** **** ********** **** ** **** devices *********** **** **** / *******, ** **** ************* *********, but * ********* ***** **** ********** ** *** **** ****** in *******.

Undisclosed #1

In reply to bashis mcw | 04/02/18 01:35am

***** *** ****** ***. ********** *** **** ******. * ****** viewed **** *** ******* *** ********* *** ****, ******* *** internal *********** ********* ** *** ************** *** ******** **** ******* reaction ** ***** *** ********.

********** ******, ******* * **** ****** ****** ****, ****, **** reduced ** * ****** *******. **** ** ** ********* ******* to ******* *** ********* ******* ** *** ********.

*****, ***** *** ******. * **** *** *** *** ******** store ****** ******* **** **** ***** ***** ********** ** ******** with *****.

Avatar

Michael Glasser

04/01/18 09:46am

*** ***** **********, **** ** **** *********** ** **** *****. No *********** *******.

"***/*** *****:**** ***** ********** *** *** ********** ** ********* *************** in ******** *** ****** ********. ** ******* *** ******* * vendor ****** *** ** ******* ****** ******* ** ************* **********. ISO/IEC *****:****"

********* - ******* ******

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

BluB0x Company Profile on Feb 20, 2019
BluB0x has doubled in revenue every year since its founding in 2013, according to CEO Patrick Barry. We originally reported on them in 2015. At the...
Ubiquiti Favorability Results 2019 on Feb 18, 2019
Ubiquiti has quietly grown into a $1+ billion annual revenue company, with offerings across wireless, wireline network and video surveillance (see...
Uniview / UNV Favorability Results 2019 on Feb 12, 2019
Uniview / UNV, the self-proclaimed #3 China manufacturer, while starting late, has been working to make inroads internationally. In IPVM's 2019...
Solink Raises $12 Million - Company Profile on Feb 12, 2019
Most industry professionals have never heard of Solink, a company whose tagline is: It's time to revolutionize the way business uses...
Barnes Buchanan 2019: Despite 'Strange Narrative' Great Time To Be In Security on Feb 11, 2019
A "strange narrative" is being spun, said Michael Barnes at the 2019 Barnes Buchanan Conference. However, despite that narrative, it is a "great...
Milestone Drops Hikvision From Elite Partners on Feb 11, 2019
Milestone has quietly dropped Hikvision from their 'Elite Partners', less than 3 years after adding the Chinese government-owned...
FLIR Favorability Results 2019 on Feb 08, 2019
FLIR has had a challenging past few years including FLIR Security business struggling, FLIR restructuring their security division and FLIR selling...
Sony Favorability Results 2019 on Feb 06, 2019
Sony Favorability amongst integrators improved moderately compared to their 2017 favorability results, with a modest net positive...
ADT And SimpliSafe Super Bowl LIII Ads Criticized on Feb 04, 2019
Super Bowl ads are incredibly expensive, running $5+ million this year, but two of the security industry's most controversial companies ran ads...
Surging Wyze Raises $20 Million, Threat To Chinese Brands on Feb 01, 2019
The Seattle Startup that is disrupting consumer IP cameras with $20 pricing has just raised $20 million dollars (SEC Filing and company press...

Most Recent Industry Reports

Outdoor Camera Mounting Hardware Guide on Feb 21, 2019
Mounting cameras outdoors can be challenging, requiring understanding different types of equipment and methods. In this guide, we teach this...
HID Favorability Results 2019 on Feb 21, 2019
HID favorability results were strong, in the 2019 IPVM integrator study of 200+ integrators, with a net +62% and low negativity as the table below...
First US State, Vermont, Bans Dahua and Hikvision on Feb 21, 2019
The first US state, Vermont, has issued a ban on a number of Chinese and Russian manufacturers including the world's 2 largest video surveillance...
ADI 'SAVE BIG' On FLIR And Hikvision Examined on Feb 20, 2019
One is a major US defense supplier. The other is owned by the Chinese government. But you can "SAVE BIG" on both at ADI. In this note, we...
BluB0x Company Profile on Feb 20, 2019
BluB0x has doubled in revenue every year since its founding in 2013, according to CEO Patrick Barry. We originally reported on them in 2015. At the...
Security Installation Tools Guide - 22 Tools Listed on Feb 19, 2019
In this guide, we cover 22 tools that security installers frequently use. This is one part of our upcoming Video Surveillance...
Sales Cuts At Rasilient on Feb 19, 2019
Over the past 2 years, video surveillance storage specialist Rasilient has expanded its workforce significantly, aiming to build its own branded...
Exacq Raises VMS Software Pricing Twice in Less Than a Year on Feb 18, 2019
Most VMSes regularly release new features, but rarely increase their prices. For the 3rd time in 4 years, and 2nd time in 8 months, since being...
Axis IR Multi Imager Camera Tested (P3717-PLE) on Feb 18, 2019
Axis has released their first IR multi imager, the P3717-PLE, a repositionable model listing 360° IR illumination and flexible positioning,...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact