[SCADASEC] Flaw Disclosure

Ivan Arce ivan.arce at coresecurity.com
Wed Aug 27 09:22:05 CDT 2008 

Hello Jake

Dale's blogpost is a good summary of the session but not necessarily a
complete fully detailed one. When I mentioned the guidelines that we
follow during the reporting process I included:

". There is no silver bullet, one-size doesn’t fit all"

Which meant to say that we do consider and analyze each vulnerability
and the process to follow on a case by case basis. Although we have
guidelines that we observe they are not rigid, clean-cut & unambiguous
rules set in stone.

Another guideline I mentioned is:

". Research  and publish potential workarounds and alternative
mitigation strategies.  Patching is not the only possible way to address
software security bugs and the official vendor is not the only possible
solution provider."

BTW, at the panel I talked about our experiences in past 13 years in the
IT security space and why and how do we do vuln research and reporting
in that space but I also indicted that we do not have expertise or
experience in the process control world -except for only 2 data points-
and that what we do may or may not map to best reporting process for PCS
vulnerabilities.

Nonetheless I hope that just by exposing how we've been doing things in
our field for many years we've contributed a bit to move the debate forward.


-ivan



Jake Brodsky wrote:
> On Digital Bond's web site, Dale Peterson recounted a discussion from
> the PCSF conference regarding information disclosure.
> 
> See http://www.digitalbond.com/index.php/2008/08/26/pcsf-san-diego-tuesday-day-one/
> 
> The discussion is interesting in that there were many opinions
> expressed, but not one of them seemed to indicate an answer such as
> "it depends upon the impact, patching difficulty, ubiquity, and
> platform."
> 
> I'm wondering if anyone else would like to chime in on this issue.
> 
> Jake Brodsky
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our usage policy, please visit:
> http://www.infracritical.com/usage-scadasec.html
>

More information about the scadasec mailing list