Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer

Author: John Honovich, Published on Mar 30, 2018

Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best protected and updated against exploits.

But who should disclose this? Cybersecurity researcher, Bashis, who has found vulnerabilities in numerous video surveillance products, recently asked this. We gathered 150+ integrator responses to see what they believe is the right answer.

A clear theme emerged: Integrators overwhelmingly believe manufacturers are responsible for announcing but almost equally are worried that manufacturers will avoid that responsibility.

Inside we examine the results and share detailed integrator feedback.

******* ****** *** *********** *********** ** *************** ** ********* *** integrators *** *** ***** ** ****** **** ***** ******* *** best ********* *** ******* ******* ********.

*** *** ****** ******** ****? ************* **********, ******, *** *** found *************** ** ******** ***** ************ ********, ******** ***** ****. We ******** ***+ ********** ********* ** *** **** **** ******* is *** ***** ******.

* ***** ***** *******: *********** ************** ******* ************* *** *********** for ********** *** ****** ******* *** ******* **** ************* **** avoid **** **************.

****** ** ******* *** ******* *** ***** ******** ********** ********.

[***************]

Exec ******* - *****

*********** **** ******* ***** ******* ************* **********, *********** ********** *** 'both' **********:

Hiding ** *************

**** *********** ********* ******** **** ************* *** ********* ** **** or ******* ************* ***********:

  • "** ***** ** **** ** *** ************* ***, *** **** would **** ***** **** *** ***** ** ******** ***** ********* liability."
  • "*** ****** **** ******* ** ** **** *** ************ ** they **** ****** ********* ***** ************ ***** **** *** **** it ** ***** ******."
  • "***** ************* *** ********, **** ** *** ******* **** ******* and *** **** ** **** ** *********."
  • "************* ****** ** ******* ** ***** ******** ******* ******** **** the ********** ***** ******. ******** ** *** **** *********."
  • "***** ** ******* **** *********** **** ** **********'* ********** **** I **** ** ***** ** * ******** ****** ** ** issue ****** * **** ** **** *** ************. **** **** you **** ** *** ************ **** *** ***** *** **** it ** *** ****** *** *** **** ** ********* ** the **** ********."
  • "************** ***** ** ** *** ************, *** ** ******* **** would **** ** ** ***** ***** ***** ****** ** ****** due ** *** ******** ****** **** *************** *** ** *** rest ** *** ******."
  • "* ******'* ***** *** ************* ** ** *********** ***** *************** discovered ***** ***** ********."
  • "************* ***'* ** ****** **** ******* *********** ******* **** ** check"

Researchers ********, ** ************ ** ***

******* ** *** ******* ** ************'* ******, *** **** ****** integrator ******** *** **** *** ********** ****** ******** ** ** the ************ ******* ** ** **:

  • "*** ************ ****** *** ************ ***** ** ******** **, **** the ********** *** ***** **!"
  • "** *** ************ *****'* ******* *** **** **** *** ***** then *** ********** ****** **** ******* **** ***** *** *****."
  • "************ ****** ** **, *** ** **** *** “********* **********” then ** ***** ** *** ********** ** **** *** ************ to *** ******."
  • "** *** ************ **** *** ******** ***** ** *** **** found, **** *** ********** ****** ***** * ************ ** ******** and ***** * ***** ****** ** **** **** *** ********."
  • "*** **** ** ** *** ************, *******, ** ** **** known **** **** ***'* ****** ******** *** ************* ***** **** have ******* **. ********* ** **** **** **** ** *** researcher ** ****** **** ****** ******* ** ** * ***** like **** *** ***** ** **** ** ****."
  • "*** ****** *** ***** ** ****** ******* *** ***** ** the ******* *** (********* ** *** ****** ** *** *************) give **** ** *********** **** ** ******* *** *******, **** if ** ****** *****, *** ****** *** ***** ** ****** make ******."
  • "** * ******* *****: *** ************. ******* *** *** * perfect *****, ** * ************* ** ********** *** *** ************ will *** ***** *** ** *** ** **** ** *-* months *** ********** *** ***** ** ****** ******** **."
  • "** ****** ** *** ************* ********** ** ****** ***** ******* and *** ******** ** * ****** ******. ** **** ************ is *** ****, **** * ******* **** *** ********** *** an ************** ** ******* ***** ******** *** **** **** ***** to *** ******."
  • "*** ************ *** * ************** ** ***** *********** ** ******** vunerabilities **** *** ****** ***** ****** ********. ** **** ** not ******* ** ** *****, ** ****** ** **** ******."
  • "*** *** ****** **** ** ******** *** *********** ** ******* the ***** *** ************ ** *** **** ****. ** *** repair *** *** ***** *****, *** ********** ****** ******** *** finding."
  • "********** ****** ****** *** ************ *** ** ************ **** *** make ** ***** ** ****** *** ***** *********** **** ********** need ** *** **** ** ****** **** *****."
  • "** *** ************ ******* **** *** **** *** ******* ****** and ******* ** ******* ** *****'* *****, **** ** ** perfectly ********** *** *** ********** ** ***** ***** **** ************** they **** ***** *** *****, ******** ********* *** *** *********, or *** ********* **** ***** ** *** *********** **** **** will *** ********* **** **************/****** *** ***** ******."

Both ********

**** *********** ********* **** '****' ** '***' ****** ******** *** disclose ** ******** *** *********** **** ***** ****** *** ***** out ** *********** *** *****:

  • "****** ****, ** **** *** ******** ****** **** ****** **** a ***** ******* *** ******** *** ******** ****** ******* *** loudly."
  • "****. ** ********* ***** **** ** **** *** ********** **** went *****"
  • "****. ****** ************* ** ********** ********* *** *************, *** *** manufacturer ******** *** ** ******* ***** *******."
  • "**** *** *********** *******. ** *** **** ** * *************** to * ******* ** ***** ** ** *** **** ******** of ********* *** *** *** ******* ** ** **** ***** immediately ** *****-******** ******. ********** ****** ****** *** ************ *** if ************ **** *** **** ** ***** ** ****** *** issue *********** **** ********** **** ** *** **** ** ****** area *****."
  • "****. *** *********** ****** ******* *** ************ **** * **** date ****** **** **** ** *** *** ************* *** **** announce *** ******** **** ** ****** **. **** *** ********** will *** ** ********, *** *********** **** ****."
  • "* ***** ****. *** ********** ****** ******* ** ** *** public *** *** ************ *** *** ****** ************** ** ********** their ******* *************** *** ******* ** *** *** ******."
  • "****. *** *** ********** ****** ** *******, ** *** ************'* inherent ******** ** ******** ***** **** ****** ** ********* (** non) **********."
  • "****. ** ***** ** * ****** ********. ************* ***'* ** relied **** ******* *********** ******* **** ** *****, *** ***** researches **** ********** * ************* ** **** * **** *** themselves."

Burden *** ***********

***** ** ** ************** *** *********** ***** **** *********** ** announce / ********, **** *********** *** *********** ** *************, *** marketing ** ****** *********. ****, **** *** ***** **** *** no ************, ** ** *** ** ****** *** **** ********* for **** ** ********** **** ***********.

Marketing ******** *** ************* *********

** *** ***** ****, ************* ********* *** ******** **** *********** can ** ***** ********* *** **** (*.*.,*****'* *** ** ******** ********** ************ *************,****** / ********* ************* *******). **** **** ********** ************* ** ********* ***** **** ********** issues *** **** **** ******* **** ****** ***** ******* ** get ***** ********* ******** ********. **** *** ** ****** ** both *** ************* *** **** *** *************** *** * ******* for *********** *** **** **** ** **** **** *** ************ of *** *********** ****** ** *** ** ********.

Challenging ********* *** ***

**********, *** ********* ** * *********** *** **** (*) **** manufacturers ********* ** ******* ** **** ********, (*) *********** ******** to ****** ****** ********* *** (*) ************* ********* ******* *** vulnerabilities ** ****** ***** *** *********.

Comments (11)

******* ************ ** *** ******** ******* ********* ********. **** ******* a **** *** *****, *****'* *********** **** ****** *** ********** it. **** ******* **** *** **** ** ********** ****** ****** remedies *** ** *** ** *****? ** **** ******** **** risk ** *********** ********** **** ********* *** **** **** *********?

****** **** *** *********** ****, * ** * *** ******** of *** ************ ******** ** *** ****** *** ****. *** critical **** ** ** ***** ***** **** ******** ******** *** customers. ***** ******** ** * ******* ***** **** ******** *** parties ** **** ********. ** ****** ****** *** ******** ********** of *** *****, *** ****** ****** **** ****** *******.

******** ******* ********* ********

***** **** * **** ****, *** **** ***** ** ******.

**** ******* * **** *** *****, *****'* *********** **** ****** was ********** **. **** ******* **** *** **** ** ********** before ****** ******** *** ** *** ** *****? ** **** creating **** **** ** *********** ********** **** ********* *** **** gone *********?

* ***'* ** ****, *** ** ***** ** ** *** already **** ********* ** *** *** ** *******.

**** * ** ****** (**** **** *** **********) *** *** things * **** ***** ***** *********** (*** ***** **), *** been ***** *** ***** ** **** ******/************* *** **** *********** itself, * ** *** ** ***** **** * ***** *'* the ***** *** *** **** +* ** **** +** ***** backdoor ***/** ***************.

* *** ** *** ***** *** *** ******** ********, *** that ** ********* *****.

* ***** ***** **** *** ******** *** ******** ******* *********. Indeed * **** **** ******* *********** ****** ************* ******** *********, where **** ** ***** ****** ** * *********.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

******** *** ******** ******* *********

* **** **** **** ********* ******** ** **** ** '******** through *********', *** ***** **** * ********* ********* ******** * ask ****** '**** *** *** ****** ** **** **** ** so ********* **** *** **** ** ******* *** ********?"

* ***'* *** *** ***** ** ******* ********, ****** ** is ****** **** ***** ** ********** ***** ******** ** ******** to ***** ****** **** *********** ***** *** ******.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

***** ** ******* ***** **** ***, *** ***** **** ** know **** **** '*****' *** '*************' *** ****?

* ***** ********** ** * ********* ** ******* *********** *********** or ******** **** ** ********* **********.

********** ** ******* **** **** *** ****** ************* ******* *** can't **** *** ****** ****** *** **** ** *** *******.

* **** ***** * ****** ******** ****** ***** ** ******* access ** **** ******* ******* ********* *** ********.

*.*. ******* **** ******* ******* **** ** ******* ****** ***** relate ** **** ***..

***** ****** ** * ****** *** *** *********** **** ******* or *** **** **** *** ********** ** ******* **** ***** to ** **** ** ********* **** * ******* *******. **** of ** ****** ***** ****** *** **** ** ** ****** adopt *** ****. ********* **** ** *** **** *** ********* in **** *** ************** ********* *** ****** **** *** ****** of *** ****** * ******** ** * ******* ********. ***** of *** ******** ******** ***, ** ******* ****** *** **** complex **** ********, ** *** ** **** *** ******** ******* does ** ** ** ********* ******** *** **** **.

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

***** ****** ** * ****** *** *** *********** ****

* ***** ***** ****** ** *** *** ****** **** **? The ***** **** ********** *** *** *************, *** ** *** results ***** ****, *********** *** ********** ********* **** ** *** manufacturer ******* *** **********, **** **** *** **** ** *** vulnerability *** ***** ********* ** ***.

****, **** *** *** ******* ***** **** ** *** (*** Disclosure *********), ***** ****** ** ** ******* ******** **** "***** and/or ********* **** *****" **** ********** *************** *** ****** **** manufacture.

*'* ***% ******* ** **** *** ***, ** **** ****** you *** *** *********** *******.

*******, *** *** ******** * ******** **** **** ***, ** need ** ***** ** ** **** *** ** **** ***** naturally **** *** **** *** **.

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

** **** ** ********* ** ** *******, ** ** **** help ***** *********** ** ****** *** **** *****, ***/*** *** have ******* ********** ** ***** ***** *******... ***.

***, ** ****** ** **** **** ********** **** ** **** devices *********** **** **** / *******, ** **** ************* *********, but * ********* ***** **** ********** ** *** **** ****** in *******.

***** *** ****** ***. ********** *** **** ******. * ****** viewed **** *** ******* *** ********* *** ****, ******* *** internal *********** ********* ** *** ************** *** ******** **** ******* reaction ** ***** *** ********.

********** ******, ******* * **** ****** ****** ****, ****, **** reduced ** * ****** *******. **** ** ** ********* ******* to ******* *** ********* ******* ** *** ********.

*****, ***** *** ******. * **** *** *** *** ******** store ****** ******* **** **** ***** ***** ********** ** ******** with *****.

*** ***** **********, **** ** **** *********** ** **** *****. No *********** *******.

"***/*** *****:**** ***** ********** *** *** ********** ** ********* *************** in ******** *** ****** ********. ** ******* *** ******* * vendor ****** *** ** ******* ****** ******* ** ************* **********. ISO/IEC *****:****"

********* - ******* ******

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Ambitious Mobile Access Startup: Openpath on May 24, 2018
This team sold their last startup for hundreds of millions of dollars, now they have started Openpath to become a rare access control small...
Exacq Improving Technical Support, Responding To Integrator Complaints on May 21, 2018
Exacq had been a long-term favorite of integrators, but since their 2014 Tyco acquisition, Exacq has fallen in IPVM integrator studies (though...
Best Manufacturer Technical Support 2018 on May 21, 2018
While 5 manufacturers made the worst technical support 2018 list, only 3 stood out as providing the best technical support to 190+ integrators in...
Cybersecurity for IP Video Surveillance Guide on May 18, 2018
Keeping surveillance networks secure can be a daunting task, but there are several methods that can greatly reduce risk, especially when used in...
Worst Manufacturer Technical Support 2018 on May 16, 2018
5 manufacturers stood out as providing the worst technical support to 190+ integrators in new IPVM results. These integrators answered: In the...
Top Benefits Of Attending Trade Shows (Statistics) on May 15, 2018
150 integrators told IPVM: What are the top benefits of going to trade shows? The clear top 2 responses in order: (1) Networking (2) New...
Hikvision Source Code Transparency Center Examined on May 14, 2018
Following criticism of Hikvision's Chinese government ownership and Hikvision's IP camera backdoor, the company has responded with a series of...
March Networks Targets Cannabis Market on May 10, 2018
Will the next March Networks customer appreciation event be held a steakhouse or at a Taco Bell at 2 am? Can March sell the types of systems to the...
Integrator Technician Field Software Usage (Statistics) on May 07, 2018
Maintaining accurate notes and documentation from field technicans is a difficult and important task for a security integrator operation. Keeping...
Integrators Divided On Website Importance to Business (Statistics) on May 04, 2018
Are websites important? Still quite a number of integrators have no websites.  New IPVM statistics show that nearly half of all integrators find a...

Most Recent Industry Reports

VMS Server Sizing on May 25, 2018
Specifying the right sized PC/server for VMS software is one of the most important yet difficult decisions in IP video surveillance. In the past...
China: Foreign Video Surveillance Is Security Risk on May 25, 2018
The Chinese government has long acknowledged that foreign video surveillance is a 'risk to national security' and has increasingly and almost...
US House Passes Bill Banning Gov Use of Dahua and Hikvision on May 24, 2018
Today, the US House of Representatives passed H.R. 5515, a bill that includes a ban on the US government's use of Dahua and Hikvision. This follows...
Hanwha Wisenet X Analytics and VMD Test on May 24, 2018
Continuing our updated testing of camera analytics, we tested Hanwha's Wisenet X analytics for over two weeks in multiple scenes, indoors and out,...
Ambitious Mobile Access Startup: Openpath on May 24, 2018
This team sold their last startup for hundreds of millions of dollars, now they have started Openpath to become a rare access control small...
Amazon's "Dangerous New Face Recognition Technology" Says ACLU on May 23, 2018
The ACLU has caused a stir, with a new report Amazon Teams Up With Law Enforcement to Deploy Dangerous New Face Recognition Technology,...
Software Only VMS vs NVR Appliances on May 23, 2018
Should you buy your own PC/server and load VMS software on it or get a turnkey appliance (both hardware and software, e.g., NVR, Hybrid DVR) from a...
Buy Arecont: Top Bid $10 Million Cash on May 22, 2018
Last year, Arecont had a deal for a purchase price of $170 million (see Failed Arecont China Acquisition). This year, Arecont has a deal for a...
Installing Box Cameras Indoors Tutorial on May 22, 2018
This tutorial starts our physical installation for video surveillance series, starting with Box Cameras, one of the oldest and most basic types....
The Hikvision Smart Classroom Behavior Management System on May 22, 2018
Hikvision's rapidly growing offering of analytics, which we most recently examined with Hikvision's ethnic minority analytics, is now going into...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact