Vulnerability Disclosure

From Open SCADA Security Project

Responsible disclosure means many things to many people. It typically involves notifying the product vendor of the issue and providing them an opportunity to develop a patch. This page attempts to aid in providing options for responsible researchers.

[edit] Full Disclosure

In many cases the devices being used cannot be easily patched. Updating firmware and software is not an option within a short time frame. As a result of these practical restrictions, full disclosure within the SCADA domain is strongly discouraged.

[edit] Non-responsive Vendor

In some instances a vendor may be non-responsive or even not acknowledge the vulnerability. After a reasonable attempt has been made to inform the vendor contacting the following consortiums may be of assistance:

• Trusted Information Sharing Network (Australia)
  • Hotline: 1800 123 400
• US-CERT (USA)
• Information Technology Information Sharing and Analysis Center (USA)

Differing views exist on this article. You can help the Open SCADA Security Project by adding your opinion.

This entry is a stub. You can help the Open SCADA Security Project by expanding it.