The change in terms from “responsible” disclosure to “coordinated” disclosure is welcome and wise. The various parties involved, vendor, user, researcher, CERT, will rarely agree on what is “responsible”. Maybe there is some agreement at the edges, but determining what is a responsible action and timeframe by the vendor is tough. And what should a researcher expect for their efforts both in finding the vuln and the time and effort to coordinate with the vendor and other parties?
This is personal for Digital Bond because we find and report vulnerabilities to US-CERT and the vendor, see our disclosure policy. We often find the vulnerabilities in our research or consulting, and it takes time to isolate and reproduce the vulnerability, write up the vulnerability report and answers questions from the vendor and CERT.
Two recent events led to this post. The first is a bit petty. Three vulns we found, a buffer overflow and two web app vulns, were fixed by the vendor and a bulletin issued to their customers. A great result. However in the bulletin the vendor said,
Vendor X conducts regular security vulnerability assessments of current and previous versions of Product Y to ensure optimal performance within the highest standards of software security. Collaborating with external IT vulnerability assessment organizations, our team performs thorough assessments using the latest techniques available. During a recent security assessment, the team has identified a small number of potential security issues that affect Product Y.
This is not even close to true. Digital Bond found these vulns independently in our lab, wrote up a vulnerability note, and sent it to US-CERT and the Vendor. We expected that when the vulns were resolved we would receive at least an acknowledgement. Crassly, this is a marketing benefit because it helps build our brand and exposes us to potential customers who may not have heard of us. We are a business and there has to be some benefit to spending the time and effort — and we are probably not going to see pay for vulns like Google is doing in the control system market. There are a lot more direct and profitable ways to leverage this information, but we, like everyone else, have our own definition of responsible.
The second event is the two SCADA security vulns with exploit code that have been released by the researcher without coordination with the vendor or the CERT. [see Moxa and Realwin]. The researcher chose to either not spend the time working with the vendor or CERT. There are small stories as to why not behind each, but the reality that will not change is the person who finds the vuln decides what they want to do with it – - within the law of course.
In these two cases, ICS-CERT decided to not provide attribution when their has been no coordination. The bulletins only refer to “an independent security researcher”, and this approach seems reasonable since the researcher chose not to involve the CERT.
There are going to be an increasing variety of disclosure scenarios as the number of control system vulns grow and the diversity of the people finding them grows.