Stats: Disclosing Vulnerabilities Responsibility? Researcher or Manufacturer

Author: John Honovich, Published on Mar 30, 2018

Getting prompt and appropriate information on vulnerabilities is important for integrators and end users to ensure that their systems are best protected and updated against exploits.

But who should disclose this? Cybersecurity researcher, Bashis, who has found vulnerabilities in numerous video surveillance products, recently asked this. We gathered 150+ integrator responses to see what they believe is the right answer.

A clear theme emerged: Integrators overwhelmingly believe manufacturers are responsible for announcing but almost equally are worried that manufacturers will avoid that responsibility.

Inside we examine the results and share detailed integrator feedback.

******* ****** *** *********** *********** ** *************** ** ********* *** integrators *** *** ***** ** ****** **** ***** ******* *** best ********* *** ******* ******* ********.

*** *** ****** ******** ****? ************* **********, ******, *** *** found *************** ** ******** ***** ************ ********, ******** ***** ****. We ******** ***+ ********** ********* ** *** **** **** ******* is *** ***** ******.

* ***** ***** *******: *********** ************** ******* ************* *** *********** for ********** *** ****** ******* *** ******* **** ************* **** avoid **** **************.

****** ** ******* *** ******* *** ***** ******** ********** ********.

[***************]

Exec ******* - *****

*********** **** ******* ***** ******* ************* **********, *********** ********** *** 'both' **********:

Hiding ** *************

**** *********** ********* ******** **** ************* *** ********* ** **** or ******* ************* ***********:

  • "** ***** ** **** ** *** ************* ***, *** **** would **** ***** **** *** ***** ** ******** ***** ********* liability."
  • "*** ****** **** ******* ** ** **** *** ************ ** they **** ****** ********* ***** ************ ***** **** *** **** it ** ***** ******."
  • "***** ************* *** ********, **** ** *** ******* **** ******* and *** **** ** **** ** *********."
  • "************* ****** ** ******* ** ***** ******** ******* ******** **** the ********** ***** ******. ******** ** *** **** *********."
  • "***** ** ******* **** *********** **** ** **********'* ********** **** I **** ** ***** ** * ******** ****** ** ** issue ****** * **** ** **** *** ************. **** **** you **** ** *** ************ **** *** ***** *** **** it ** *** ****** *** *** **** ** ********* ** the **** ********."
  • "************** ***** ** ** *** ************, *** ** ******* **** would **** ** ** ***** ***** ***** ****** ** ****** due ** *** ******** ****** **** *************** *** ** *** rest ** *** ******."
  • "* ******'* ***** *** ************* ** ** *********** ***** *************** discovered ***** ***** ********."
  • "************* ***'* ** ****** **** ******* *********** ******* **** ** check"

Researchers ********, ** ************ ** ***

******* ** *** ******* ** ************'* ******, *** **** ****** integrator ******** *** **** *** ********** ****** ******** ** ** the ************ ******* ** ** **:

  • "*** ************ ****** *** ************ ***** ** ******** **, **** the ********** *** ***** **!"
  • "** *** ************ *****'* ******* *** **** **** *** ***** then *** ********** ****** **** ******* **** ***** *** *****."
  • "************ ****** ** **, *** ** **** *** “********* **********” then ** ***** ** *** ********** ** **** *** ************ to *** ******."
  • "** *** ************ **** *** ******** ***** ** *** **** found, **** *** ********** ****** ***** * ************ ** ******** and ***** * ***** ****** ** **** **** *** ********."
  • "*** **** ** ** *** ************, *******, ** ** **** known **** **** ***'* ****** ******** *** ************* ***** **** have ******* **. ********* ** **** **** **** ** *** researcher ** ****** **** ****** ******* ** ** * ***** like **** *** ***** ** **** ** ****."
  • "*** ****** *** ***** ** ****** ******* *** ***** ** the ******* *** (********* ** *** ****** ** *** *************) give **** ** *********** **** ** ******* *** *******, **** if ** ****** *****, *** ****** *** ***** ** ****** make ******."
  • "** * ******* *****: *** ************. ******* *** *** * perfect *****, ** * ************* ** ********** *** *** ************ will *** ***** *** ** *** ** **** ** *-* months *** ********** *** ***** ** ****** ******** **."
  • "** ****** ** *** ************* ********** ** ****** ***** ******* and *** ******** ** * ****** ******. ** **** ************ is *** ****, **** * ******* **** *** ********** *** an ************** ** ******* ***** ******** *** **** **** ***** to *** ******."
  • "*** ************ *** * ************** ** ***** *********** ** ******** vunerabilities **** *** ****** ***** ****** ********. ** **** ** not ******* ** ** *****, ** ****** ** **** ******."
  • "*** *** ****** **** ** ******** *** *********** ** ******* the ***** *** ************ ** *** **** ****. ** *** repair *** *** ***** *****, *** ********** ****** ******** *** finding."
  • "********** ****** ****** *** ************ *** ** ************ **** *** make ** ***** ** ****** *** ***** *********** **** ********** need ** *** **** ** ****** **** *****."
  • "** *** ************ ******* **** *** **** *** ******* ****** and ******* ** ******* ** *****'* *****, **** ** ** perfectly ********** *** *** ********** ** ***** ***** **** ************** they **** ***** *** *****, ******** ********* *** *** *********, or *** ********* **** ***** ** *** *********** **** **** will *** ********* **** **************/****** *** ***** ******."

Both ********

**** *********** ********* **** '****' ** '***' ****** ******** *** disclose ** ******** *** *********** **** ***** ****** *** ***** out ** *********** *** *****:

  • "****** ****, ** **** *** ******** ****** **** ****** **** a ***** ******* *** ******** *** ******** ****** ******* *** loudly."
  • "****. ** ********* ***** **** ** **** *** ********** **** went *****"
  • "****. ****** ************* ** ********** ********* *** *************, *** *** manufacturer ******** *** ** ******* ***** *******."
  • "**** *** *********** *******. ** *** **** ** * *************** to * ******* ** ***** ** ** *** **** ******** of ********* *** *** *** ******* ** ** **** ***** immediately ** *****-******** ******. ********** ****** ****** *** ************ *** if ************ **** *** **** ** ***** ** ****** *** issue *********** **** ********** **** ** *** **** ** ****** area *****."
  • "****. *** *********** ****** ******* *** ************ **** * **** date ****** **** **** ** *** *** ************* *** **** announce *** ******** **** ** ****** **. **** *** ********** will *** ** ********, *** *********** **** ****."
  • "* ***** ****. *** ********** ****** ******* ** ** *** public *** *** ************ *** *** ****** ************** ** ********** their ******* *************** *** ******* ** *** *** ******."
  • "****. *** *** ********** ****** ** *******, ** *** ************'* inherent ******** ** ******** ***** **** ****** ** ********* (** non) **********."
  • "****. ** ***** ** * ****** ********. ************* ***'* ** relied **** ******* *********** ******* **** ** *****, *** ***** researches **** ********** * ************* ** **** * **** *** themselves."

Burden *** ***********

***** ** ** ************** *** *********** ***** **** *********** ** announce / ********, **** *********** *** *********** ** *************, *** marketing ** ****** *********. ****, **** *** ***** **** *** no ************, ** ** *** ** ****** *** **** ********* for **** ** ********** **** ***********.

Marketing ******** *** ************* *********

** *** ***** ****, ************* ********* *** ******** **** *********** can ** ***** ********* *** **** (*.*.,*****'* *** ** ******** ********** ************ *************,****** / ********* ************* *******). **** **** ********** ************* ** ********* ***** **** ********** issues *** **** **** ******* **** ****** ***** ******* ** get ***** ********* ******** ********. **** *** ** ****** ** both *** ************* *** **** *** *************** *** * ******* for *********** *** **** **** ** **** **** *** ************ of *** *********** ****** ** *** ** ********.

Challenging ********* *** ***

**********, *** ********* ** * *********** *** **** (*) **** manufacturers ********* ** ******* ** **** ********, (*) *********** ******** to ****** ****** ********* *** (*) ************* ********* ******* *** vulnerabilities ** ****** ***** *** *********.

Comments (11)

Thumbnail img 9647 nobackground

Jonathan Lewit

03/30/18 05:10pm

******* ************ ** *** ******** ******* ********* ********. **** ******* a **** *** *****, *****'* *********** **** ****** *** ********** it. **** ******* **** *** **** ** ********** ****** ****** remedies *** ** *** ** *****? ** **** ******** **** risk ** *********** ********** **** ********* *** **** **** *********?

****** **** *** *********** ****, * ** * *** ******** of *** ************ ******** ** *** ****** *** ****. *** critical **** ** ** ***** ***** **** ******** ******** *** customers. ***** ******** ** * ******* ***** **** ******** *** parties ** **** ********. ** ****** ****** *** ******** ********** of *** *****, *** ****** ****** **** ****** *******.

bashis mcw

In reply to Jonathan Lewit | 03/30/18 06:00pm

******** ******* ********* ********

***** **** * **** ****, *** **** ***** ** ******.

**** ******* * **** *** *****, *****'* *********** **** ****** was ********** **. **** ******* **** *** **** ** ********** before ****** ******** *** ** *** ** *****? ** **** creating **** **** ** *********** ********** **** ********* *** **** gone *********?

* ***'* ** ****, *** ** ***** ** ** *** already **** ********* ** *** *** ** *******.

**** * ** ****** (**** **** *** **********) *** *** things * **** ***** ***** *********** (*** ***** **), *** been ***** *** ***** ** **** ******/************* *** **** *********** itself, * ** *** ** ***** **** * ***** *'* the ***** *** *** **** +* ** **** +** ***** backdoor ***/** ***************.

* *** ** *** ***** *** *** ******** ********, *** that ** ********* *****.

Thumbnail img 9647 nobackground

Jonathan Lewit

In reply to bashis mcw | 03/30/18 06:29pm

* ***** ***** **** *** ******** *** ******** ******* *********. Indeed * **** **** ******* *********** ****** ************* ******** *********, where **** ** ***** ****** ** * *********.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

bashis mcw

In reply to Jonathan Lewit | 03/30/18 07:43pm

******** *** ******** ******* *********

* **** **** **** ********* ******** ** **** ** '******** through *********', *** ***** **** * ********* ********* ******** * ask ****** '**** *** *** ****** ** **** **** ** so ********* **** *** **** ** ******* *** ********?"

* ***'* *** *** ***** ** ******* ********, ****** ** is ****** **** ***** ** ********** ***** ******** ** ******** to ***** ****** **** *********** ***** *** ******.

*****, * ***** ** ***** **** ** ***** *** ***** try ** **** ******* ***** **** *********.

***** ** ******* ***** **** ***, *** ***** **** ** know **** **** '*****' *** '*************' *** ****?

Rodney Thayer

In reply to bashis mcw | 04/02/18 02:17pm

* ***** ********** ** * ********* ** ******* *********** *********** or ******** **** ** ********* **********.

********** ** ******* **** **** *** ****** ************* ******* *** can't **** *** ****** ****** *** **** ** *** *******.

* **** ***** * ****** ******** ****** ***** ** ******* access ** **** ******* ******* ********* *** ********.

*.*. ******* **** ******* ******* **** ** ******* ****** ***** relate ** **** ***..

Undisclosed #1

03/30/18 05:21pm

***** ****** ** * ****** *** *** *********** **** ******* or *** **** **** *** ********** ** ******* **** ***** to ** **** ** ********* **** * ******* *******. **** of ** ****** ***** ****** *** **** ** ** ****** adopt *** ****. ********* **** ** *** **** *** ********* in **** *** ************** ********* *** ****** **** *** ****** of *** ****** * ******** ** * ******* ********. ***** of *** ******** ******** ***, ** ******* ****** *** **** complex **** ********, ** *** ** **** *** ******** ******* does ** ** ** ********* ******** *** **** **.

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

John Honovich

IPVM | In reply to Undisclosed #1 | 03/30/18 05:23pm

***** ****** ** * ****** *** *** *********** ****

* ***** ***** ****** ** *** *** ****** **** **? The ***** **** ********** *** *** *************, *** ** *** results ***** ****, *********** *** ********** ********* **** ** *** manufacturer ******* *** **********, **** **** *** **** ** *** vulnerability *** ***** ********* ** ***.

bashis mcw

In reply to John Honovich | 03/30/18 05:51pm

****, **** *** *** ******* ***** **** ** *** (*** Disclosure *********), ***** ****** ** ** ******* ******** **** "***** and/or ********* **** *****" **** ********** *************** *** ****** **** manufacture.

*'* ***% ******* ** **** *** ***, ** **** ****** you *** *** *********** *******.

*******, *** *** ******** * ******** **** **** ***, ** need ** ***** ** ** **** *** ** **** ***** naturally **** *** **** *** **.

bashis mcw

In reply to Undisclosed #1 | 03/30/18 06:23pm

** ******* ****** **, ** ******* ** *** ******* ** the ********** ** ******** **** *** *** ***** *** **** could ****** ** * *** ** *** *****, ******* ** caffeine *****.

** **** ** ********* ** ** *******, ** ** **** help ***** *********** ** ****** *** **** *****, ***/*** *** have ******* ********** ** ***** ***** *******... ***.

***, ** ****** ** **** **** ********** **** ** **** devices *********** **** **** / *******, ** **** ************* *********, but * ********* ***** **** ********** ** *** **** ****** in *******.

Undisclosed #1

In reply to bashis mcw | 04/02/18 01:35am

***** *** ****** ***. ********** *** **** ******. * ****** viewed **** *** ******* *** ********* *** ****, ******* *** internal *********** ********* ** *** ************** *** ******** **** ******* reaction ** ***** *** ********.

********** ******, ******* * **** ****** ****** ****, ****, **** reduced ** * ****** *******. **** ** ** ********* ******* to ******* *** ********* ******* ** *** ********.

*****, ***** *** ******. * **** *** *** *** ******** store ****** ******* **** **** ***** ***** ********** ** ******** with *****.

Michael Glasser

04/01/18 09:46am

*** ***** **********, **** ** **** *********** ** **** *****. No *********** *******.

"***/*** *****:**** ***** ********** *** *** ********** ** ********* *************** in ******** *** ****** ********. ** ******* *** ******* * vendor ****** *** ** ******* ****** ******* ** ************* **********. ISO/IEC *****:****"

********* - ******* ******

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

Knightscope Winning Investors, Struggling With Growth on Oct 16, 2018
While Knightscope's new financials show the company only winning 11 new customers in the past 12 months, the company continues to win new...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Huawei Admits AI "Bubble" on Oct 16, 2018
A fascinating article from the Chinese government's Global Times: Huawei’s AI ambition to reshape industries. While the Global Times talks about...
Amazon Touts Home Security Market Disruption on Oct 15, 2018
Amazon is coming for ADT and all of home security. Indeed, Amazon is advertising this as, in their own words, calling home security a: Inside...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...
Security System Health Monitoring Usage Statistics 2018 on Oct 09, 2018
How well and quickly do integrators know if devices are offline or broken? New IPVM statistics show that typically no health monitoring is...
China Hacks Video Servers Causing Uproar on Oct 05, 2018
An incident causing an international uproar is hitting home in the video surveillance industry as a Bloomberg report, "The Big Hack: How China...
ASIS GSX 2018 Mixed Manufacturer Reviews With Declining Overall Attendance on Oct 02, 2018
ASIS GSX 2018 show drew 9% fewer total registrants, however, it gained 15% more paid registrations, according to ASIS. In this note, we look...
Network Cable Testing Guide on Oct 02, 2018
Proper cable installation is key to trouble-free surveillance systems. However, testing is often an afterthought, with problems only discovered...
The Robolliance is Dead on Oct 01, 2018
The Robolliance has died. Formed 2 years ago to fanfare, the robots-focused marketing machine is no more, having slipped quietly away sometime...

Most Recent Industry Reports

Best Alternatives to Banned Dahua and Hikvision on Oct 17, 2018
With the US government ban and a growing number of users banning Dahua and Hikvision, one key question is what to use for low cost? While Dahua and...
Video Quality / Compression Tutorial on Oct 17, 2018
While CODECs, like H.264, H.265, and MJPEG, get a lot of attention, a camera's 'quality' or compression setting has a big impact on overall...
Knightscope Winning Investors, Struggling With Growth on Oct 16, 2018
While Knightscope's new financials show the company only winning 11 new customers in the past 12 months, the company continues to win new...
Integrator Laptop Guide on Oct 16, 2018
This 18-page guide provides guidance and statistics about integrator laptop use. 150 integrators explained to IPVM in detail about their laptops,...
Huawei Admits AI "Bubble" on Oct 16, 2018
A fascinating article from the Chinese government's Global Times: Huawei’s AI ambition to reshape industries. While the Global Times talks about...
ADI's Financials Revealed + W-Box Growth Priority on Oct 15, 2018
  ADI is one of the most powerful distributors in the security industry but how big are they? How much profit do they make? How much do they sell...
Dahua Face Recognition Camera Tested on Oct 15, 2018
Dahua has been one of the industry's most vocal proponents of the value that AI creates: As part of this, Dahua has released a facial...
Amazon Touts Home Security Market Disruption on Oct 15, 2018
Amazon is coming for ADT and all of home security. Indeed, Amazon is advertising this as, in their own words, calling home security a: Inside...
Higher Power PoE 802.3bt Ratified, Impact on Security Products Examined on Oct 12, 2018
Power over Ethernet has become one of the most popular features of many video, access, and other security products. See our PoE for IP Video...
"New Zealand Govt Uses Chinese Cameras Banned In US", Considers Security Audit on Oct 12, 2018
Newsroom NZ has issued a report: "NZ Govt uses Chinese cameras banned in US": This comes after the US federal government banned purchases of...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact