Digital Bond got slammed at the SANS Summit by Jason Larsen of INL as an example of consultant/researchers trying to make PR on vulnerabilities they discover during client assessments to “raise the price of their services”. This was not the thrust of the talk and a minor comment, but still warrants a reponse.

Digital Bond is a strong believer in responsible disclosure. When we identify a vulnerability, we notify the vendor and CERT/CC & US-CERT. We provide them with whatever details and help we can. At that point it is their decision to disclose. Two vulnerabilities identified by Digital Bond have resulted in vulnerability notes published by US-CERT . There are more identified vulnerabilities in process that may or may not be published. The decision is CERT/CC & US-CERT which is appropriate as a mediator between researchers, asset owners and vendors.

Let’s look at the LiveData example Jason mentioned. Prior to contacting CERT/CC & US-CERT the vendor had no response. After talking to CERT/CC & US-CERT the vendor quickly issued a patch, prior to the public announcement. The LiveData stack is in many products. Now asset owners can look at the vulnerability note and see if they need to contact the vendor for a patch. The vulnerability note did not include detail on the vulnerability and no exploit code was released for “proof of concept”.

The “raise the price of their services” comment is partially true. The IDS signatures, vulnerability disclosure, Nessus plugins, honeynet, blog, S4, and other resources have a marketing component. We are not looking to raise our rates, but we are trying to get funding for interesting SCADA security research projects and obviously look for SCADA assessments / architecture / policy engagements with asset owners. Our marketing efforts are not advertising and trade show booths, they are the content and tools we provide to the community. Hopefully this leads a potential research funder or asset owner to understand our skills and consider Digital Bond.

I think the myth is that INL is any different. INL and the national labs compete with industry despite public proclamations to the contrary. They perform assessments for asset owners, analyze vendor systems, and perform applied research. Digital Bond and other companies do this exact same work. INL is in fact our biggest competitor with Sandia and PNL not far behind.

When INL representatives are on stage proclaiming their abilities to break systems there is a large marketing component to this. When they talk about the value of their testing of vendor systems this is a very commercial statement that others should vendors should pay to get their systems tested by INL. There is nothing wrong with this, but honestly could any other vendor get away with this on Alan Paller’s stage?

We have a lot of respect for the labs. There is talent there, including Jason. We have worked with them in the past and hopefully will again. One issue that makes it difficult is a difference in our approach.

Digital Bond’s focus is on the asset owner. How can we get information and tools to the asset owners is a key question in all of our engagements. We turn away work that will be locked up or at the vendor’s descretion on what is disclosed to asset owners.

INL’s focus is on the vendor. Many vendors pay INL to do assessments, and the vendors get the results. It is the vendor’s decision on what vulnerabilities are addressed and what information is shared with the asset owners. I have suggested to the labs in the past that there be disclosure to US-CERT after some reasonable time for the vendor to fix the vulnerability (6 months?). Also, the tools remain within the labs.

This fundamental difference likely affects our different views on responsible disclosure and other matters.