Push or Pull

Is it better that the vendor sends notifications to customers (push model) or that affected devices fetch that information itself (pull model)? The answer is “yes.” Both models are valid, and vendors should use whichever is more effective in informing users about vulnerabilities. The vendor can also use both models but probably not for the same product.

The push model is good because it can be configured to suit users’ needs. If the vendor uses email or RSS to send the notification, the users can automate the process so that after the notification is received, it is parsed and, depending on its content, different people are alerted about the notification. These alerts can be sent to their pagers; automated voice messages can be sent to their mobile phones; and emails can be sent to their addresses. All that can happen within seconds after receiving the vendor notification. Less-sophisticated users can read the notification the next time they check their email or browse a website, which might be several days or weeks after the vendor published the notification.