Unresponsive Vendors (and a bit of irony)
Posted by jericho
Late yesterday, Jaime Blasco posted to bugtraq looking for a security contact at 3com to further attempt to disclose a vulnerability in one of their products responsibly. Such posts are not uncommon these days, and one of the driving forces behind the OSVDB Vendor Dictionary. For vendors who may be under some delusion that their products contain no vulnerabilities, you should still maintain the security@ alias as per RFC 2142 standards. Ideally, we’d like for you to contact us with your preferred security address so our vendor dictionary is updated and accurate.
The irony of Blasco’s post is that 3com owns TippingPoint who runs the Zero Day Initiative (ZDI), set up to purchase 0-day vulnerabilities from researchers. Why do I think that had Blasco mailed ZDI, he would have received a prompt reply?
Yes, one does get the sense that only two possibilities exist: (1) vendor lacks proper contact information, or (2) vendor tries to ignore the vulnerability.
And yes, definitely not uncommon. A good example of the second is the PGP Desktop Wipe Free Space vulnerability, OSVDB ID # 21569. The creditee reports that the vendor failed to reply after having ample time to do so.
Lack of vendor response is probably somewhere around 25% of all disclosures, based on CVE data, with another 25% from researchers who don’t even try to contact the vendor, and the remainder that is eventually acknowledged. But the “eventually acknowledged” figure includes vendors who were contacted but didn’t respond until after publication, so the lck of response might be higher than 25%.