In addition, the SE and the PM may need to consider the following factors before choosing a particular OTS product:

Does the supplier have product evaluation criteria defined for the reduction of potential weaknesses in COTS? If a product defect/bug list can be made available, consider examining it. If independent defect/bug lists can be made available, consider examining them too. Do they show that the supplier actively works to prevent weaknesses from being released in their product, and that they place a high priority on repairing important vulnerabilities if found later? What are the maturities of the product and the underlying product technologies? An immature product, or a product based on poorly understood technology, is more likely to have vulnerabilities. What is the track record/history of the product or organization regarding vulnerabilities? How often do they occur in released products? What were the impacts and how long did they take to be resolved? Is it prone to vulnerabilities compared to its competitors? Are there publicly known and uncorrected weaknesses or vulnerabilities? What is the organizations track record regarding correction of vulnerabilities (including speed and thoroughness)? Does the product have certifications that justify its assurance (e.g., Common Criteria evaluation, FIPS 140-2, ICSA evaluation, etc.)? If it has received widespread reviews (including peer reviews or testing), what are their results? What mechanisms exist or can be added to prevent the use of counterfeit parts/software? What is the supplier's strategy to reduce vulnerabilities? Note that in some cases, OTS elements should be configured to