if you find a vulnerability in a SCADA software and release it in full-disclosure (full details and proof-of-concept) the
ICS-CERT will NOT credit you.
I mean just no name and even no links to your informations, doesn't matter if your report contains important details.
this is one of their rules and it's confirmed also by the mail I received from them:
Quote:
If a researcher simply publishes a vulnerability without coordinating with
the vendor and/or a CERT, then ICS-CERT will not credit a researcher by
name. If a researcher does coordinates the vulnerability prior to a public
disclosure, then ICS-CERT will provide attribution to the original
researcher.
I think it's an idiocy because for a vendor a public vulnerability is a service he gets for free and is for sure better than leaving the vulnerabilities undisclosed/unpatched anyway if it's their rule I can say nothing, it's ok.
or at least it's ok till they release one of their so called advisories in which they make a complete free advertisement to a company that sells some small SCADA bugs:
http://www.us-cert.gov/control_systems/ ... 096-01.pdfhttp://www.us-cert.gov/control_systems/ ... il2011.pdfthe "ironic" thing is that my full name is there because it's part of the announcement/advertisement of that company... shame.
basicly if you find vulnerabilities in the software that the same ICS-CERT defines as critical and important (personally for me SCADA is just like a game or a media player or a Microsoft server, nothing else) and you sell it in the so called "black market" to people usually with bad intentions then you will credited on their website.
at the same time the usual "idiot" who reveals the vulnerability for free and to anyone (vendor included) will be simply tagged as a nameless "independent researcher":
http://www.us-cert.gov/control_systems/ ... 91-01A.pdfhttp://www.us-cert.gov/control_systems/ ... 091-01.pdfhttp://www.us-cert.gov/control_systems/ ... 080-01.pdfhttp://www.us-cert.gov/control_systems/ ... 080-02.pdfhttp://www.us-cert.gov/control_systems/ ... 080-03.pdfhttp://www.us-cert.gov/control_systems/ ... 080-04.pdfhttp://www.us-cert.gov/control_systems/ ... 48-01A.pdfhttp://www.us-cert.gov/control_systems/ ... versal.pdfhttp://www.us-cert.gov/control_systems/ ... 355-01.pdfhttp://www.us-cert.gov/control_systems/ ... 348-01.pdfhttp://www.us-cert.gov/control_systems/ ... 313-01.pdfhttp://www.us-cert.gov/control_systems/ ... 305-01.pdftry to guess who is that "indipendent researcher" there :)
not that I care much but my intention is to highlight a behaviour that I find completely senseless and even unethical.
the only lucky thing about their advertisement is that the so called zero days that are sold from that company are only some Denial of Service bugs in some less known softwares so just nothing to care.
