“At least you, and I, have the courtesy to link to the bulletin when we discuss it. ICS-CERT has not linked once to the Basecamp posts or pages that disclose the vulnerabilities even though they just paraphrase what we identify.”
Dale makes a very valid point. The vulnerability disclosures made by security researchers is intellectual property. Some of that property belongs to people like Dale who makes their living selling cybersecurity services. Dale and others like him in the cybersecurity services industry have worked hard to establish their reputations as knowledgeable service providers. A large part of that effort includes things like his blog, his somewhat annual S4 conference, and projects like Project Basecamp. Failure to properly recognize that effort when using the publicly available fruits of his labor and expertise does him a disservice and negatively impacts on his livelihood. For a government agency like ICS-CERT to do so is particularly aggravating.
Now to be fair ICS-CERT has improved their credit-sharing efforts. Six months ago they were not even identifying the names of researchers unless the disclosures were made in a coordinated manner; Basecamp would not even have been mentioned in the alerts if it had happened six months ago. I commended the folks at ICS-CERT when they made that change and continue to maintain that it was a step in the right direction.
However, in the digital communication age, mentioning a name is not enough; a link to the information when it is provided on the web is the absolute minimum of common courtesy. In the case of ICS-CERT alerts and advisories it is even more than that; it is a valuable service to the control system community that relies on ICS-CERT for information about system vulnerabilities.
The ICS-CERT communications are at best summaries of the information on vulnerabilities and the mitigations. They are designed to be, and serve their most valuable purpose when they are digests of information. If they were detailed discourses on the subject only the most dedicated cybersecurity nerds would read them. They would not be of any real service to the community.
A cybersecurity manager or consultant can easily review these products as they are published and make a quick determination of whether or not they may be applicable to their system. But to decide what action needs to be taken in their facility in order to properly respond to the potential vulnerability these people are going to need access to much more information. The vendor will certainly provide some the necessary details; which is why ICS-CERT provides links to the vendor patches and security documentation when it is available.
But, as we have seen over the last year, the adequacy of the responses of the vendors has been less than adequate in many instances. To have the information necessary to respond to a potential vulnerability a security manager or consultant is going to have to access the vulnerability data actually developed by the security researcher. This is the real reason that ICS-CERT should be including links to the original vulnerability reports in their alerts and advisories.
And remember, most security researchers are making at least a portion of their living from these efforts. If not adequately recognized, independent security researchers might turn to portions of the market place for cybersecurity vulnerability information that would be willing to pay for 0-day exploits. We really don’t need that.
So, I urge ICS-CERT to continue to evolve their researcher disclosure policy by including links to the original information on disclosures. It would be a valuable service to the entire cybersecurity community.