A big part of my “day job” over the past few years has been to act as the security advocate for a number of Dell EMC products. This includes a variety of activities, both proactive and reactive. One common activity is handling the life cycle of a security vulnerability through discovery, triage, remediation, and disclosure. Most (but not all) of the vulnerabilities I deal with are a result of embedded components which are updated periodically for security reasons.
There’s a common response I get when vulnerabilities, and their remediation, are disclosed. “Do I really need to worry about this one?”
When I put my corporate hat on, the answer of course is, “Yes. We advise you to <blah blah blah> immediately.”
But you know and I know that security vulnerabilities come in a wide variety of flavors.
So what’s the real answer?