[SCADASEC] Wurldtech Disclosure Policy
Mark Fabro
fabro at loftyperch.com
Fri May 16 13:25:40 CDT 2008
Matt,
How does the idea to use proven reporting capabilities (ones that clearly have access to the vendor community) illustrate the demise of 'pure play' researcher orgs? Lots of researchers want to get credit for their finding (and get attention for their parent org)...why not use effective channels? your message seem to suggest that pure-plays find and post with little regard for a proven process. My experience is that they will use it if they can and they trust it. I guess there is a lot of work we need to do, hm?
Pure-plays are not going anywhere, the 'purest' of which we may never hear from as they lurk, do research, and collect vulns to store for a rainy day:) I think using pre-established channels, whatever they may be, also off-loads a lot of the hassle surrounding disclosure (yes, when it works properly).
MGF
------Original Message------
From: Matthew Franz
To: scadasec at news.infracritical.com
ReplyTo: scadasec at news.infracritical.com
Sent: May 16, 2008 1:55 PM
Subject: [SCADASEC] Wurldtech Disclosure Policy
See http://www.wurldtech.com/blog/?p=73 and
http://wurldtech.com/legal/disclosure_policy.php
There are number things that were interesting about this blog, but
what I think was most important was that we have another consulting
firm (yes I know Wurldtech does products, too) validating the role of
government coordination centers in the *public* disclosure of control
system vulns:
"In no case will Wurldtech publicly disclose any vulnerability.
Instead, we will rely on the US-CERT and CERT/CC co-ordination centers
to balance the interests of the vendors, asset owners, and other
stakeholders in determining when to publicly disclose."
I also think this reflects the demise/decline (meaning assimilation
into product vendors) of the pure-play security consulting firms
(think ISS and @stake) of the big advisories as marketing activities.
It will be interesting to see if other (Industrial Defender, Byres
Security, INL and other commercial entities that target this market)
follow suit with announcements of their disclosure policies.
- mdf
--
Matthew Franz
http://www.threatmind.net/
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
Mark Fabro CISSP, CISM
President and CEO
Lofty Perch, Inc.
fabro at loftyperch.com
(647)226-4225 direct
More information about the scadasec
mailing list