Vulnerability bureaucracy: Unchanged after 12 years
One of my tasks at IOActive Labs is to deal with vulnerabilities; report them, try to get them fixed, publish advisories, etc. This isn’t new to me. I started to report vulnerabilities something like 12 years ago and over that time I have reported hundreds of vulnerabilities – many of them found by me and by other people too. Since the early 2000’s I have encountered several problems when reporting vulnerabilities: Vendor not responding Vendor responding aggressively Vendor responding but choosing not to fix the vulnerability Vendor releasing flawed patches…