Comment by viraptor

Comment by viraptor 6 days ago

Most security bugs get fixed without any public notice. Unless there was any breach of customer information (and that can be often verified), there are typically no legal requirements. And there's no real benefit to doing it either. Why would you expect it to happen?

smarx007 6 days ago

> there are typically no legal requirements

Not after EU CRA https://en.m.wikipedia.org/wiki/Cyber_Resilience_Act goes into effect

Reply View 0 replies

singleshot_ 6 days ago

> Unless there was any breach of customer information (and that can be often verified), there are typically no legal requirements.

If the company is regulated by the SEC I believe you will find that any “material” breach is reportable after the determination of materiality is reached, since at least 2023.

Reply View 2 replies

viraptor 6 days ago

Sure. And these types of "we fixed it and confirmed nobody actually exploited it" issues are not always treated as material. You can confirm that for example by checking SEC reports for each cve in commercial VPN gateways... or lack of.

Reply View | 1 reply
- [removed] 5 days ago
  
  [deleted]
  
  Reply View | 0 replies

wredcoll 6 days ago

The benefit, apparently, is that people like this guy don't cancel their memberships.

Reply View 1 reply

viraptor 6 days ago

And how many would cancel is they published every security issue they fixed?

Reply View | 0 replies

[removed] 6 days ago

[deleted]

Reply View 0 replies