Retr0id 2 days ago

I'm also not sure what the point of vendor disclosure is, if the product really is EOL

Reply View 8 replies
  • codetrotter 2 days ago

    Maybe mainly to avoid legal trouble? Even if you “know” the answer from the vendor will be that it’s EOL, notifying them of your findings and giving them time to fix it shows that you have good intentions. That they then do choose to do nothing about it, well that’s not your fault.

    Additionally, it helps you avoid the situation where you thought the device was EOL because there hadn’t been any updates for a long time but then it turns out that they actually do still respond to, and fix, security issues. And it just happened that there hadn’t been updates for a long while because no one had reported anything for a while.

    Reply View 0 replies
  • citrin_ru 2 days ago

    Depending on vulnerability impact and difficulty fixing it, some vendors may choose to release a fix even after EOL. Generally EOL means that users should not rely on getting an update (but it still may be released as an exception).

    Reply View 1 reply
    • krisoft 2 days ago

      Or the vendor might want to warn users about the vulnerability. It is a different story to stay “there might be vulnerabilities, consider updating to some other gizmo” vs “there is a vulnerability, you have to abandon the gizmo”.

      Reply View 0 replies
  • stvltvs 2 days ago

    The vulnerabilities might still exist in current products even if discovered in an EOL product.

    Reply View 1 reply
  • myself248 2 days ago

    I think the point is to embarrass vendors into extending their support periods. Giving them 60 days to think about that is a shot across the bow.

    Reply View 0 replies
  • qwery 2 days ago

    An attempt to avoid unnecessary harm, I'd guess.

    To see what they do?

    Because it will be more damning if they ignore something significant they had explained to them?

    Reply View 0 replies