Thanks to Chris Jager (via Twitter®) for pointing me at the web site of Robus, the collaboration of Adam Crain and Chris Sistrunk that has already brought us the latest ICS-CERT advisory on SEL. This is a deceptively simple web site with only a single page and the only external links going to the ICS-CERT web site, the LinkedIn® profiles of the two principles and the web site of Automatak, their corporate sponsor.
The real interesting part of the site is the listing of the ICS-CERT advisories that there research has been responsible for initiating. There are currently three advisories listed and the word pending shown a number of times. Yesterday when I first saw this site there were 12 ‘pendings’, this morning there are 16; each one reflects (as I understand it) coordinated disclosures for ICS vulnerabilities that have already been made.
It looks like we are going to be hearing a lot from these two young men.
Keeping in mind that free suggestions are typically worth what you pay for them; I have two suggestions for the web site. First put a date on each ‘pending’ signifying when the disclosure was actually made; this could help the industry track the general responsiveness of vendors. Second establish an internal standard (the ICS-CERT 45 day limit for instance) for a reasonable time to fix a vulnerability and then add the vendor’s name to the pending listing. This could be followed by a second time limit to add the generic vulnerability description to the pending listing.
BTW: Suggested reading: Here be Dragons