HP getting sued

[Carl-Johan Bostorp <Carl-Johan.Bostorp () cybercom com>]

So it looks like HP is getting sued in a class action lawsuit over the firmware upgrade "potential security 
vulnerability". It's claimed that HP knew about the vulnerability, but failed to disclose it, and this constitutes an 
"unfair" business act. 
https://docs.google.com/gview?url=http://docs.justia.com/cases/federal/district-courts/california/candce/5:2011cv05779/248220/1/0.pdf?1322863230&chrome=true

This is the first case I've heard of where this happens. Will be really interesting to see what happens. With any luck, 
vendors will have to at least disclose the shit they choose not to fix. 
http://www.digitalbond.com/2011/11/08/advantech-webaccess-first-on-insecure-products-list/  ... but then again, there 
are gradients here that can be difficult to rule.

How much would a vendor have to disclose of vulnerabilities known but not fixed? Do they get any grace period on fixing 
these vulnerabilities, or must they be made public as soon as they know *anything* ? Or is it just when they decided 
not to fix it? If so, can we then expect vendors to have vulnerabilities rated as "undetermined" for years? Maybe a 6 
months grace period from vendor notification to people starting to sue? What about severity of vulnerability?

What do you think is reasonable?

Carl-Johan Bostorp
Senior Consultant
CISSP / QSA

Cybercom Sweden East AB
Lindhagensgatan 126,  Box 30154   SE-104 25  Stockholm
Mobile +46 722 328 220
Phone +46 8 726 75 00   Fax +46 8 19 33 22
carl-johan.bostorp () cybercom com<mailto:carl-johan.bostorp () cybercom com>     
www.cybercomgroup.com<http://www.cybercomgroup.com/>
P Think before you print

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave