Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is there any kind of independent organization from which networking device vendors can seek security certification?

E.g., they get to review all hw / sw / firmware, and if appropriate make a public affirmation that they could find no vulnerabilities for that stack?



Most of the time such reviews are not practical; they cost too much money and don't deliver results. Such review industries are almost always all about the rubber stamp and don't end up employing competent reviewers.

See e.g. the Infineon ROCA flaw that FIPS certification didn't catch (even though that code reeked of them being too clever, and should've gone through proper cryptanalysis).

See: flaws in the FIPS YubiKey (specific to that version! The certification requirements introduced vulns!)

See: every audit of every terrible CA ever.


UL need to step up their game




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: