Vulnerability Disclosure Policy

Digital Bond identifies vulnerabilities on a regular basis during our SCADA security consulting engagements and research projects. Vulnerabiliity disclosure, while a long time contentious issue in the IT security world, is still a very new issue in the SCADA Security community.

Prior to 2006, Digital Bond simply alerted the affected vendor when we identified vulnerablities. Rarely did we see any response, and when the vendor did respond it was usually only to our client rather than all their affected users. So in 2006, we finally woke up and realized we needed to play a larger role in responsible disclosure of control system vulnerabilities.

Here is our vulnerability disclosure policy:

Digital Bond Honors All Client Commitments

We are often required to sign non-disclosure agreements and other restrictions on information with our consulting clients. We always honor our commitments and will not disclose information covered under a commitments without explicit client approval. That said, many of our clients have participated in responsible disclosure coordinated disclosure after understanding the issues.

All Bets Are Off

As of 1 Sept 2011 the other elements of our disclosure policy, see below, are no longer in effect. We will decide what we want to do with any vulnerability. We may disclose it to the vendor; we may disclose some or part of it publicly; we may disclose only to our affected customers; we may keep to ourselves for future use; or we may do something else.

Digital Bond Notifies The Affected Vendor, US-CERT, and CERT/CC When A Vulnerability Is Identified

After many years of non-response or ineffective response by vendors, we now notify US-CERT and CERT/CC of any identified vulnerabilities, not covered by a NDA or similar commitment, at the same time as the affected vendor. We have seen an increase in the speed and effectiveness of the affected vendor response by involving the coordination centers on day one.

Digital Bond Leaves The Decision On When To Disclose To US-CERT and CERT/CC

We let independent coordination centers balance the interests of vendors, users, and researchers and determine when disclosure is appropriate. Ideally a patch would be available at the time of disclosure, but in many instances the patch may be significantly delayed and disclosure may allow reduction of risk through compensating controls.

Digital Bond May Disclose To Affected Clients

We have asset owner clients in a variety of critical infrastructure vertical markets. After security assessment, architecture, policy and other engagements we know their systems well. Digital Bond may disclose vulnerabilities to affected asset owner clients under a NDA that prevents further disclosure.

Again to be clear – – Digital Bond does not disclose vulnerabilities to the public. We may choose to provide more information and context once the US-CERT has disclosed the vulnerability.

Digital Bond Promotes Responsible Disclosure

We are strong proponents of responsible disclosure and urge all members of the SCADA security community to develop their own responsible disclosure policy that includes informing a coordination center in their country.