Thanks to Chris Jager (via Twitter®) for pointing me
at the web site of Robus, the
collaboration of Adam Crain and Chris
Sistrunk that has already brought us the latest ICS-CERT
advisory on SEL. This is a deceptively simple web site with only a single
page and the only external links going to the ICS-CERT web site, the LinkedIn®
profiles of the two principles and the web site of Automatak, their corporate sponsor.
The real interesting part of the site is the listing of the
ICS-CERT advisories that there research has been responsible for initiating.
There are currently three advisories listed and the word pending shown a number
of times. Yesterday when I first saw this site there were 12 ‘pendings’, this
morning there are 16; each one reflects (as I understand it) coordinated
disclosures for ICS vulnerabilities that have already been made.
It looks like we are going to be hearing a lot from these
two young men.
Keeping in mind that free suggestions are typically worth
what you pay for them; I have two suggestions for the web site. First put a
date on each ‘pending’ signifying when the disclosure was actually made; this
could help the industry track the general responsiveness of vendors. Second
establish an internal standard (the ICS-CERT 45 day limit for instance) for a
reasonable time to fix a vulnerability and then add the vendor’s name to the
pending listing. This could be followed by a second time limit to add the generic
vulnerability description to the pending listing.
BTW: Suggested
reading: Here be Dragons
Posts
1 comment:
Thanks Patrick. We'll take comments into consideration. FYI, Automatak link points back to Robus.
Post a Comment