Dailydave mailing list archives
HP getting sued
From: Carl-Johan Bostorp <Carl-Johan.Bostorp () cybercom com>
Date: Wed, 7 Dec 2011 08:26:24 +0100
So it looks like HP is getting sued in a class action lawsuit over the firmware upgrade "potential security vulnerability". It's claimed that HP knew about the vulnerability, but failed to disclose it, and this constitutes an "unfair" business act. https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true This is the first case I've heard of where this happens. Will be really interesting to see what happens. With any luck, vendors will have to at least disclose the shit they choose not to fix. http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/ ... but then again, there are gradients here that can be difficult to rule. How much would a vendor have to disclose of vulnerabilities known but not fixed? Do they get any grace period on fixing these vulnerabilities, or must they be made public as soon as they know *anything* ? Or is it just when they decided not to fix it? If so, can we then expect vendors to have vulnerabilities rated as "undetermined" for years? Maybe a 6 months grace period from vendor notification to people starting to sue? What about severity of vulnerability? What do you think is reasonable? Carl-Johan Bostorp Senior Consultant CISSP / QSA Cybercom Sweden East AB Lindhagensgatan 126, Box 30154 SE-104 25 Stockholm Mobile +46 722 328 220 Phone +46 8 726 75 00 Fax +46 8 19 33 22 carl-johan.bostorp () cybercom com<mailto:carl-johan.bostorp () cybercom com> www.cybercomgroup.com<http://www.cybercomgroup.com/> P Think before you print
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- HP getting sued Carl-Johan Bostorp (Dec 08)
- Re: HP getting sued Charisse Castagnoli (Dec 08)
- Re: HP getting sued Jeffrey Walton (Dec 08)