"It really doesn't matter if this is right or wrong for ICS or any market," Peterson said. "It is the way it is so there's no value in discussing responsible disclosure."
David Harley, a senior research fellow at security vendor ESET, said Tuesday via email that, while he belongs to a generation of researchers that prefers responsible to unrestricted disclosure, he can understand that vulnerability researchers expect something in return for their efforts.
However, if security researchers who find vulnerabilities in industrial control systems don't self-regulate or get support for their work through a government program, they run the risk of meeting legal and other forms of pressure because issues that can affect national security attract particular attention, Harley said.
"Vupen lays claim to a certain amount of self-regulation (in terms of being choosy about its customers): I don't know about Revuln, but at least what they're doing isn't full, promiscuous disclosure," Harley said.
"I can't say I feel comfortable with this, but it may be that legitimized and monetized research will work out better for the online world than multitudes of individuals and unofficial groups working semi-covertly," the ESET researcher said. "If so, let's hope too much damage isn't done while that market stabilizes."
As far ReVuln's customer selection process goes, Auriemma said the company "accepts trusted customers from reputable countries only."
