I was really looking for a good news story today after some recent gloom and doom blog entries. Thankfully ICS-CERT issued an advisory today for some fixed ClearSCADA vulns that Digital Bond found last year.
Here’s the good news. Control Microsystems got back to us immediately upon our reporting the vulns, quickly verified the vulns, and quickly had fixes available for the vulns. There were three different types of vulns across multiple product versions, and they did all this work quickly and interacted with Digital Bond professionally throughout the process. They wanted more details rather than trying to explain it away or ignore it.
Kudos also to ICS-CERT who handled the coordinated disclosure process and worked with the vendor to agree on timelines for customer disclosure and this open disclosure. This instance and others with AREVA, OSIsoft, et al show that the CERT process is working when a researcher discloses a vulnerability and the vendor is responsive.
We left the timeline completely up to ICS-CERT and the vendor to hash out. Not because we are nice guys, but we aren’t interested in fighting that battle. It was interesting and a good thing that ICS-CERT kept checking with us to see if were concerned about the timeframe. I’m convinced they would have helped coordinate a sped up process if we, or any researcher, had pushed the issue.