undefined | Better HN

0 pointsPolizeiposaune10mo ago0 comments

"Stores are not permitted to sell products with known vulnerabilities under new cybersecurity regulations."

Do stores have to patch known vulnerabilities before releasing the product to customers or can customers install the patch?

0 comments

jeroenhd10mo ago

I believe it's okay to let customers install the patch. The regulation itself can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML

Basically, the manufacturer has to issue a patch, and the distributor has to ensure that the patch is available before selling the vulnerable devices. Without secure software, the product is essentially CE-incompliant, which means it practically isn't allowed to be sold.

IANAL though.

MrBuddyCasino10mo ago

This sounds like another bureaucratic nightmare. Who is going to track this?

geoffpado10mo ago

Grocery stores everywhere have the ability to pull recalled products off their shelves pretty quickly. I did it fairly regularly at my first job as a shelf-stocker for a small local store in rural MO. Somehow we made it work, so clearly someone figured out how to deal with that "bureaucratic nightmare". I see no reason why hardware products that are on a list due to known issues would be any different.

1 more reply

mschuster9110mo ago

You know, vendors could just do the right thing and invest into security so that they don't ship vulnerable stuff from the start...

1 more reply

aspenmayer10mo ago

Stores don’t have the capability to do this. These aren’t car dealerships we’re talking about here, more like Walmart or Best Buy. It would take a recall/RMA or online firmware updates, both of which already exist and are widely used.

j / k navigate · click thread line to collapse

0 comments

jeroenhd10mo ago

I believe it's okay to let customers install the patch. The regulation itself can be found here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML

IANAL though.

MrBuddyCasino10mo ago

This sounds like another bureaucratic nightmare. Who is going to track this?

geoffpado10mo ago

1 more reply

mschuster9110mo ago

You know, vendors could just do the right thing and invest into security so that they don't ship vulnerable stuff from the start...

1 more reply

aspenmayer10mo ago

j / k navigate · click thread line to collapse