Have you ever faced software security alerts in your embedded product or project? I did - several times. Mostly this had been going in the following way read an article or got a mail about the security issue checked (or may double-checked) the version actually used in the product is affected informed head of development (or head of security) that there is a problem in the software made several rounds of discussions and planning (which could take some time) included the fix, if there was one available did all the needed Q&A process deployed the fixed version kept the fingers crossed that software will be installed to most of the devices before anyone actually exploits the issue The chain of disaster already starts at the first bullet - it's far too late - the whole process usually takes at least a few days - days devices in the field might be exploitable - and who's responsible in the end? Take a guess - mostly it's you. Of course you can put yourself on