I am just curious about the prevailing opinions here. A friend of mine has discovered an extremely poor implementation in a security product on the market that is used by many different corporations and universities. And by extremely poor implementation, I mean full on compromise and potential to create a botnet easily. In about 100 lines of code, he can do whatever he wants to any computer that has this product installed.
He is going through the proper channels to report it but the design is so poor, the company is going to have to likely scrape 90% of the existing code and redesign the product. Therefore, I think the company is going to try and keep it quiet.
What is the general opinion on companies and releasing information about severe vulnerabilities to their customers? In this case, I believe every customer should be notified ASAP so they can assess the threat model and determine whether they continue to use the product. I can say turning off the product would actually provide more security than leaving it on if this vulnerability started to be targeted.
Additionally, the compounding threat to me is that universities utilizing the product put not only identities at risk but also research.
So what responsibility does companies have to their customers when they sell a product that has such gaping security holes that put their customers at risk?
He is going through the proper channels to report it but the design is so poor, the company is going to have to likely scrape 90% of the existing code and redesign the product. Therefore, I think the company is going to try and keep it quiet.
What is the general opinion on companies and releasing information about severe vulnerabilities to their customers? In this case, I believe every customer should be notified ASAP so they can assess the threat model and determine whether they continue to use the product. I can say turning off the product would actually provide more security than leaving it on if this vulnerability started to be targeted.
Additionally, the compounding threat to me is that universities utilizing the product put not only identities at risk but also research.
So what responsibility does companies have to their customers when they sell a product that has such gaping security holes that put their customers at risk?
Facebook
Twitter