While at S4, Digital Bond Labs had a security advisory published by ICS-CERT (see ICSA-15-013-03). One thing that we tried to do differently with releasing information on the issue this time around was to reach out to vendors that were obviously using the affected software as part of their control system.
The results were pretty strange. Most companies contacted had no security@ email address, and no /security URI on their website.
Of the 32 affected vendors that we reached out to, only 3 had a ‘security@‘ email address that did not bounce (the remaining 29 we contacted using a general ‘support’ email address listed on the vendor website). Two months later, zero of the affected vendors have provided a response beyond an automated ticket.
When I worked for a vendor, I had an internal pep-talk informally called ‘dealing with researchers.’ There are a lot of cheap and easy lessons to learn, based on how the bug comes to you: