Comment by Retr0id
Comment by Retr0id 2 days ago
> 60-90 day disclosure windows with vendor
This is not 0day. (but I think this is a fun initiative nonetheless)
Comment by Retr0id 2 days ago
> 60-90 day disclosure windows with vendor
This is not 0day. (but I think this is a fun initiative nonetheless)
Maybe mainly to avoid legal trouble? Even if you “know” the answer from the vendor will be that it’s EOL, notifying them of your findings and giving them time to fix it shows that you have good intentions. That they then do choose to do nothing about it, well that’s not your fault.
Additionally, it helps you avoid the situation where you thought the device was EOL because there hadn’t been any updates for a long time but then it turns out that they actually do still respond to, and fix, security issues. And it just happened that there hadn’t been updates for a long while because no one had reported anything for a while.
Sometimes an EOL is ignored if it's serious enough - https://msrc.microsoft.com/blog/2017/05/customer-guidance-fo...
"Although the term "zero-day" initially referred to the time since the vendor had become aware of the vulnerability, zero-day vulnerabilities can also be defined as the subset of vulnerabilities for which no patch or other fix is available." - Source: https://en.wikipedia.org/wiki/Zero-day_vulnerability