Researchers and Disclosure

The change in terms from “responsible” disclosure to “coordinated” disclosure is welcome and wise. The various parties involved, vendor, user, researcher, CERT, will rarely agree on what is “responsible”. Maybe there is some agreement at the edges, but determining what is a responsible action and timeframe by the vendor is tough. And what should a researcher expect for their efforts both in finding the vuln and the time and effort to coordinate with the vendor and other parties?

This is personal for Digital Bond because we find and report vulnerabilities to US-CERT and the vendor, see our disclosure policy. We often find the vulnerabilities in our research or consulting, and it takes time to isolate and reproduce the vulnerability, write up the vulnerability report and answers questions from the vendor and CERT.

Two recent events led to this post. The first is a bit petty. Three vulns we found, a buffer overflow and two web app vulns, were fixed by the vendor and a bulletin issued to their customers. A great result. However in the bulletin the vendor said,

Vendor X conducts regular security vulnerability assessments of current and previous versions of Product Y to ensure optimal performance within the highest standards of software security. Collaborating with external IT vulnerability assessment organizations, our team performs thorough assessments using the latest techniques available. During a recent security assessment, the team has identified a small number of potential security issues that affect Product Y.

This is not even close to true. Digital Bond found these vulns independently in our lab, wrote up a vulnerability note, and sent it to US-CERT and the Vendor. We expected that when the vulns were resolved we would receive at least an acknowledgement. Crassly, this is a marketing benefit because it helps build our brand and exposes us to potential customers who may not have heard of us. We are a business and there has to be some benefit to spending the time and effort — and we are probably not going to see pay for vulns like Google is doing in the control system market. There are a lot more direct and profitable ways to leverage this information, but we, like everyone else, have our own definition of responsible.

The second event is the two SCADA security vulns with exploit code that have been released by the researcher without coordination with the vendor or the CERT. [see Moxa and Realwin]. The researcher chose to either not spend the time working with the vendor or CERT. There are small stories as to why not behind each, but the reality that will not change is the person who finds the vuln decides what they want to do with it – - within the law of course.

In these two cases, ICS-CERT decided to not provide attribution when their has been no coordination. The bulletins only refer to “an independent security researcher”, and this approach seems reasonable since the researcher chose not to involve the CERT.

There are going to be an increasing variety of disclosure scenarios as the number of control system vulns grow and the diversity of the people finding them grows.

4 comments to Researchers and Disclosure

  • erik.hjelmvik

    Dale, would you by any chance be able to post the name of “Vendor X” on your blog? I feel bashing often is both fun and useful, since it would put more pressure on Vendor X to properly credit responisble disclosures in order to prevent unresponsible disclosure (such as publicly released exploits) in the future.

  • Hi Erik,

    It will come out in a few months. At this point only customers have been told. After about ninety days it will go out as a general bulletin. This seems to be the closest thing we have to a general practice in SCADA security vuln disclosures, and it seems reasonable to me.

    I do want to point out that the vendor deserves a lot of credit in other important ways. They took the vulns seriously, responded immediately and professionally to our contact. More importantly, they fixed the problems. This is much better than many vendors inside and outside the control system community.

    Dale

  • shawnmer

    FYI, I referenced this blog post today.

    “Metasploit and SCADA Exploits: Dawn of a New Era?”

    https://www.infosecisland.com/blogview/9340-Metasploit-and-SCADA-Exploits-Dawn-of-a-New-Era-.html

    Cheers,
    –scm

  • [...] in the case of┬áspecialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented case… furthering the bad blood between vendors and ethical [...]

Leave a Reply