So it looks like HP is getting sued in a class action lawsuit over the firmware upgrade "potential security vulnerability". It's claimed that HP knew about the vulnerability, but failed to disclose it, and this constitutes an "unfair" business act. https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true
This is the first case I've heard of where this happens. Will be really interesting to see what happens. With any luck, vendors will have to at least disclose the shit they choose not to fix. http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/ ... but then again, there are gradients here that can be difficult to rule. How much would a vendor have to disclose of vulnerabilities known but not fixed? Do they get any grace period on fixing these vulnerabilities, or must they be made public as soon as they know *anything* ? Or is it just when they decided not to fix it? If so, can we then expect vendors to have vulnerabilities rated as "undetermined" for years? Maybe a 6 months grace period from vendor notification to people starting to sue? What about severity of vulnerability? What do you think is reasonable? Carl-Johan Bostorp Senior Consultant CISSP / QSA Cybercom Sweden East AB Lindhagensgatan 126, Box 30154 SE-104 25 Stockholm Mobile +46 722 328 220 Phone +46 8 726 75 00 Fax +46 8 19 33 22 [email protected]<mailto:[email protected]> www.cybercomgroup.com<http://www.cybercomgroup.com/> P Think before you print
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
