[SCADASEC] Wurldtech Disclosure Policy

[Matthew Franz]

See http://www.wurldtech.com/blog/?p=73 and
http://wurldtech.com/legal/disclosure_policy.php

There are number things that were interesting about this blog, but
what I think was most important was that we have another consulting
firm (yes I know Wurldtech does products, too) validating the role of
government coordination centers in the *public* disclosure of control
system vulns:

"In no case will Wurldtech publicly disclose any vulnerability.
Instead, we will rely on the US-CERT and CERT/CC co-ordination centers
to balance the interests of the vendors, asset owners, and other
stakeholders in determining when to publicly disclose."

I also think this reflects  the demise/decline (meaning assimilation
into product vendors) of the pure-play security consulting firms
(think ISS and @stake) of the big advisories as  marketing activities.

It will be interesting to see if other (Industrial Defender, Byres
Security, INL and other commercial entities that target this market)
follow suit with announcements of their disclosure policies.

- mdf

-- 
Matthew Franz
http://www.threatmind.net/