How long before a security vendor should act on Security Report? e.g. Comodo

Many will question security researcher’s actions on whether they acted/reported responsibly but I’d like to question “How long before a security vendor will act on any security report regarding their services?”

Months passed… Comodo failed to review or monitor any domains that is carrying any of their certificates.

Last month… MVP Mike Burgess reported to them some malware domains that have Comodo certs and it took weeks before Comodo will acknowledge (the CEO even denied that their team receiving email from MVP Mike.  Well, the CEO said he don’t think they received email from MVP Mike Burgess).  It turned out it was buried, which is an excuse IMHO!

This issue has been grilled/discussed in several forums including DSLReports, Wilders Security, Calendar of Updates and was blog too by MVP Corrine and myself but until today, Comodo is not acting, preventing and monitoring this report.

So how long before you, as security vendor should act on security reports? 2 weeks, 2 months, 2 years?

More than a month is too much of waiting.  End-users should trust other security vendors instead of trusting a vendor that is ignoring security reports just because you are earning some money from malware domain owners!

Nuff of my rant… see new blog entry of MVP Mike on this issue.  Comodo again continue to issue certs to malware domains!:

http://msmvps.com/blogs/hostsnews/archive/2009/05/23/1693034.aspx

Published Tue, May 26 2009 4:37 by donna

Comments

Saturday, July 11, 2009 6:02 PM by John

# re: How long before a security vendor should act on Security Report? e.g. Comodo

Well MS took 7 years to fix a critical security flaw and I do not see a big stink over that.

Seems Comodo is being singled out mainly because some are still pissed about Boclean being sold to them and some are pissed because Comodo did away with Boclean standalone and see a big bad conspiracy.

How long should they have I ask MS.