There has been some misunderstanding and misstating of Digital Bond’s vulnerability disclosure policy. So we decided to follow the Matasano example and state our policy. Click here for Digital Bond’s Vulnerability Disclosure Policy.
In a nutshell, we honor our customer confidentiality agreements; disclose to the vendor, US-CERT, and CERT-CC simultaneously; and let US-CERT as the independent coordination center determine if and when public disclosure is appropriate.
We know a large number of asset owners and consultants have identified vulnerabilities in SCADA devices and applications. Unfortunately it is not that difficult today. We encourage others to come up with a responsible disclosure policy and involve the coordination centers.