[michaellosee]

I demonstrated the Actiontec Q1000 exploit on Track 0. As a security professional I am very interested in responsible disclosure, and had already reported the vulnerability to Century Link 6+ months before Defcon (slight correction to the article, the ISP is not Verizon). I first read about the SOHOplessly broken contest on HN the week before Defcon and figured I'd apply since I already had a 0-day in my back pocket.

As the article says the manufacturer has acknowledged the vulnerability, but I have not heard from them for quite a while. I've begun to wonder how much time has to pass without a fix before it would be irresponsible of me not to fully disclose the vulnerability. Lately I've been thinking that full disclosure may be the only responsible way to disclose a vulnerability. But I am still conflicted.

[tedunangst]

I understand 3 months, or 6 at the outside, to be a fair deadline. Bugs not fixed after six months are never fixed.

[lawnchair_larry]

Be aware that there is likely someone over there who thinks it's serious and worth fixing, but their manager won't let them fix it because their manager doesn't think it's an issue and would rather invest in features and make more money for the business.

If you release it, you force the manager to do the right thing, and the developer will then be officially allowed time to fix it.

Give them a deadline and drop it. Even ZDI does this now. Some companies will sit on reports for years, because no one cares.