Comment by busterarm
Would be cool but "responsible disclosure" is a non-starter for me. Full disclosure is the only way to operate, IMO.
Would be cool but "responsible disclosure" is a non-starter for me. Full disclosure is the only way to operate, IMO.
If the device is explicitly past EOL what is the point anyways? Just to wait 60 days and hear they aren't going to do anything?
not necessarily! If the 0day is bad enough the vendor may patch it or release further guidance - most recent case is Ivanti this week (https://cyberscoop.com/ivanti-vulnerability-cisa-kev/)
they could offer to send you a $15 grubhub gift card for your trouble
Depending on the target and the severity of the vulnerability the vendor might consider fixing the vulnerability even if EOL.
If the target is an IOT device the vulnerability will likely be mass exploited to create a botnet.
The U.S. government recently ‘took control’ of a botnet run by Chinese government hackers made of 260,000 Internet of Things devices... (Source: https://techcrunch.com/2024/09/18/u-s-government-took-contro...)