Main menu:

• Home
• Consulting
• Research
• Events
• Subscribe
• About Us
  • Culture
  • Dale Peterson
  • Contact Us
  • Vulnerability Disclosure Policy
  • Advertise on digitalbond.com
  • Now Hiring
• Resources

 

 

 

AAA  AAA 

Vulnerability Disclosure Policy

Digital Bond identifies vulnerabilities on a regular basis during our SCADA security consulting engagements and research projects. Vulnerabiliity disclosure, while a long time contentious issue in the IT security world, is still a very new issue in the SCADA Security community.

Prior to 2006, Digital Bond simply alerted the affected vendor when we identified vulnerablities. Rarely did we see any response, and when the vendor did respond it was usually only to our client rather than all their affected users. So in 2006, we finally woke up and realized we needed to play a larger role in responsible disclosure of control system vulnerabilities.

Here is our vulnerability disclosure policy:

Digital Bond Honors All Client Commitments

We are often required to sign non-disclosure agreements and other restrictions on information with our consulting clients. We always honor our commitments and will not disclose information covered under a commitments without explicit client approval. That said, many of our clients have participated in responsible disclosure after understanding the issues.

Digital Bond Notifies The Affected Vendor, US-CERT, and CERT/CC When A Vulnerability Is Identified

After many years of non-response or ineffective response by vendors, we now notify US-CERT and CERT/CC of any identified vulnerabilities, not covered by a NDA or similar commitment, at the same time as the affected vendor. We have seen an increase in the speed and effectiveness of the affected vendor response by involving the coordination centers on day one.

Digital Bond Leaves The Decision On When To Disclose To US-CERT and CERT/CC

We let independent coordination centers balance the interests of vendors, users, and researchers and determine when disclosure is appropriate. Ideally a patch would be available at the time of disclosure, but in many instances the patch may be significantly delayed and disclosure may allow reduction of risk through compensating controls.

Digital Bond May Disclose To Affected Clients

We have asset owner clients in a variety of critical infrastructure vertical markets. After security assessment, architecture, policy and other engagements we know their systems well. Digital Bond may disclose vulnerabilities to affected asset owner clients under a NDA that prevents further disclosure.

Again to be clear - - Digital Bond does not disclose vulnerabilities to the public. We may choose to provide more information and context once the US-CERT has disclosed the vulnerability.

Digital Bond Promotes Responsible Disclosure

We are strong proponents of responsible disclosure and urge all members of the SCADA security community to develop their own responsible disclosure policy that includes informing a coordination center in their country.