Centralization in security information helps Mikrotik every bit as it does its existing customers, prospective customers and the broader community.
Mikrotik need to be much more direct and centralized about even the very basics, like what specific vulnerabilities have been fixed and when (we can only hope for mitigation and workaround info).
This is just one of the reasons centralized and dated databases like CVE numbers, and why many other software and networking vendors numbered and versioned security update lists, exist. So, that they are trivially accessible, can be referenced directly, remove massive confusion from different sources and minimize both customer anxiety and broader concerns right now, let alone in future.
At the moment any precise security information is in a forum post, very often not even in changelogs. Yet internally you must keep a log of security fixes?
For example, in almost the same period of time, remote access security issues have blown up in the media around:
- SMB service/NetBIOS messages
- unsecured external web services
- web service vulnerabilities
- aggressive port scanning against Winbox ports
- Hajime IoT botnet/worm
- Slingshot malware and spyware - one of the most sophisticated spyware platforms ever discovered in the wild (meaning it must be a state actor) and to date it only affects Mikrotik devices
These are not necessarily the same underlying security issues, but due to widespread reporting confusion - all in different languages too - and, unsurprisingly, some actual hysteria abounds!
On top of that, there are even more risks. Existing known attackers are often only using older vulnerabilities yet have the potential to upgrade to use new ones, e.g. Slingshot or variants have not been seen attempting to use the SMB vulnerability.
It is notable that there can be more specific information about Mikrotik device security in some journalist articles than there is from Mikrotik itself, e.g. the the one from VirusGuides.
All of this now or in future could even constitute a directed or careful attack against Mikrotik with no real indication of how further it could scale. How best to defend yourself?
No matter how small an organisation, a simple static HTML page and references to CVE or security update IDs in changelogs, for example, cannot be that hard to maintain since you already have all that information.