First, ICS-CERT did change their policy and acknowledged a researcher who found a vulnerability but chose not to disclose through ICS-CERT. Nice move. The old policy was not working as planned to encourage researchers to disclose through ICS-CERT. So Luigi Auriemma was mentioned in the Siemens WinCC Alert and Optima APIFTP Alert.
Second, the Schneider Electric Advisory shows once again that ICS-CERT does a good job of coordinating disclosures if all sides choose to play along. In this case the researcher, Kuang-Chun Hung, provided the information, the vendor quickly created security patches, a secure bulletin went out on November 3rd and presumedly the vendor contacted supported customers, and this public advisory came out 25 days later.
Image by fwooper