Before we proceed, let us ask one question, "Why it is important to know who is and who is not a vendor?" After all, delivering a remedy is all that matters. Although that is true, it is also important that people with criminal intent on their mind learn about the vulnerability as late in the game as possible. The general rule is that the more people who know about something, the chance for information leaking is higher. Therefore, only peo- ple and organizations that need to know about the vulnerability should be notified. Vendors are the obvious group that must be notified, which leads you back to the ques- tion, "Who is a vendor?" You can see that, as it is usually the case, no simple general answer exists. Not only that, but the answer is different if we change the perspective. From a user's perspective, a vendor is whoever sold the product. End of story. However, from the perspective of vendors and manufacturers, the answer can be quite different, which is the focus here.
The initial description of a vendor as someone who is responsible for production and maintenance of a product is a good start but needs further qualification. Following is a vendor ecosystem:
• Direct production: Hardware and software for a Cisco router is designed and pro- duced by Cisco, so Cisco is a vendor.
• Integrated components: Closer inspection of Cisco routers reveals that some of the hardware components and software libraries are not designed and made by Cisco but by various third parties. Vulnerability in any of these components would require the appropriate third party to produce a remedy and Cisco to integrate it into a final product. Given the close integration of constituent components into a final product, you can still claim that Cisco is a vendor even when considering third- party components.
Needless to say that reusing third-party components can go arbitrarily deep. A third- party component can contain a module made by a fourth party that can contain yet another component from someone else, and so on ad nauseam.
Probably all modern operating systems work on this model where only a small part of it is written by an organization that is "the vendor," and all, or a big majority of, other parts (libraries, utilities and so on) are written and maintained by third parties. This is not limited to open-source vendors such as Red Hat or OpenBSD but is also present in commercial operating systems such as Apple Mac OS X and even Microsoft Windows.
• OEM or resellers: Original Equipment Manufacturer (OEM) is the name for a com- pany that buys a product from a second company, places its logo on the product, and sells it under its name. Reseller is a less ambiguous name for such a company. Although the reseller may appear as a vendor from the outside (that is, it sells and supports a product), it is not involved in the production or integration of a remedy for security vulnerability in a product. In this case, it is hard to argue that a reseller is a vendor.
• Value Added Reseller (VAR): VAR is a reseller but it adds value to a product before selling it under its brand. Value can be added in multiple ways. Some of the values that can be added are customization (like translation of messages to a different lan- guage), additional functionalities (for example, new software or hardware modules added to the existing product), to integration with other equipment (with or without modifying or expanding functionalities of any integrated device or product). VAR can be called a vendor depending on the level and scope of the modifications added to the initial product. However, because there is no clear demarcation line for how much modification must be added before a VAR should be called a vendor, this determination must be done on a case-by-case basis.
• System integrator: This is a person or an organization who creates customized solu- tions out of products, devices, or modules from (usually) different vendors. System integration can involve different levels of component customization that can range from configuring devices in a specific way to developing new modules (software or hardware) to enable overall system functions.
Similar to VARs, system integrators can be considered vendors especially if vulnera- bility is found in modules and components produced by the integrator. Again, the decision of whether a system integrator is a vendor must be made on a case-by-case basis.
As you can see from the preceding examples, vendors come in all different shapes and sizes. There is no universal definition on who a vendor is from a nonuser's point of view. It is up to the parties involved in a process to sort that out, and the answer can change from one case to another. In all instances, a vendor is someone who can produce the remedy.