Case Study on Product Security and Vulnerability Management in Media

Ensuring the security of media, in particular public service media, is of vital importance in maintaining public trust in the veracity of information. However, the transition to IP has opened up previously isolated media systems to direct and indirect attacks. All members of the media industry must adapt, but we will show the industry is struggling to do so. In 48 different security assessments of commercially available media systems, we found almost half of them contain at least one critical or high-severity security vulnerability. While working with the affected vendors to solve the issues, we were able to document the industry's current vulnerability management practices. Firstly, only 6 out of 32 vendors have a publicly advertised method for reporting security vulnerabilities to them. Secondly, only 3 of the 11 vulnerabilities that have been fixed by the time of writing this paper have been publicly and transparently disclosed. In other cases, the fix was included in the new release silently or only vaguely mentioned in release notes. We conclude that the media industry is not yet sufficiently committed to security and has a lot to learn from the IT industry where vulnerability reporting, coordinated vulnerability disclosure and frequent security updates are well-established.

Published

2024-10-21

Content type

Original Research

Keywords

product security, security testing, vulnerability management, vulnerability disclosure, cve, cna

DOI

10.5594/MOO/3017

ISBN

978-1-61482-965-2