First of all I would like to thank Dale for inviting me to share my thoughts via this blog.
Having published dozens of vulnerabilities during the last years I have collected multiple reactions. From vendors who want to hire you, to those determined to sue you (just one case fortunately) .
However, I’d empirically say that some SCADA vendors are still lacking the proper policy, or attitude, to face up the fact that their products have vulnerabilities, as well as any other software or hardware might have. I guess they are not used to dealing with these scenarios.
Foreseeing some kind of weird reaction to my reports I took the decision to contact vendors only through 3rd party organisms; ICS-CERT is a good candidate, according to my experience.
Thus, 2 years reporting SCADA vulnerabilities is enough time to collect some reactions. I have been ‘accused’ of physically entering facilities, having access to insider knowledge, or more recently a response was that what I was reporting was not a bug . This situation happened in the Advantech/BroadWin case. After the vendor denied having a vulnerability,I ended up releasing an exploit to demonstrate the real impact. I’m pretty sure some of you strongly disagree with me since releasing a 0day is not usually well considered.
The response I received from Advantech/BroadWin was the following:
“3. WebAccess does use RPC to communicate between Client andserver. But all the server side functions are password protected. With HTTPS and VPN, we think it is safe on the internet. It would be extremely complicate to reverse engineer the RPC code and the alter the data in WebAccess.”