"We have been planning to do the exact same thing at Secunia as what Aaron [Portnoy] mentions (i.e. perform internal research to attempt a partial overlap and then coordinate with the vendors and ICS-CERT)," Carsten Eiram, chief security specialist at vulnerability research firm Secunia, said Monday via email.
When asked what he thinks about ReVuln's decision to sell information about vulnerabilities without reporting them to vendors, Eiram said that he doesn't want to be the judge of what's right or wrong when it comes to disclosure policies. "However, at Secunia we do things differently," he said.
Secunia's disclosure policy is even stricter than that of Exodus Intelligence. Whenever the company's researchers find vulnerabilities, the company reports them to the affected vendors and does not share information about them with its customers or the public until they have been addressed or if communication with the vendor fails, Eiram said.
ReVuln doesn't plan to stop publishing the names of software vendors that it has vulnerabilities for, even if this will lead to efforts from other researchers to independently find the flaws and report them to the affected companies, Auriemma said. If any of the vulnerabilities offered by ReVuln through its feed service are patched by the vendor, the company will release a generic public advisory about the issue, but will not disclose any technical details publicly, he said.
Ruben Santamarta, a security researcher at security consultancy firm IOActive, who previously reported vulnerabilities in industrial control systems (ICS), believes that business models based on nondisclosure policies are here to stay until software companies make them unsustainable by securing their products.
"This business model can be reprehensible or not, that depends on your ethical point of view," Santamarta said Monday via email. "Regulated or not, as long as there are buyers, there will be sellers, unless we reach the point where there is nothing to sell. Until that moment, I think this kind of companies is something the sector has to live with."
Portnoy said that it was easy for him to find vulnerabilities in SCADA software because many of the products he tested didn't even have rudimentary security mitigations built in.
"I think many of these vendors should be forced to perform outsourced code review, at the very least -- especially considering the implications if their software was leveraged by an attacker to gain access to the sensitive systems they support," he said.
"I don't necessarily think SCADA vendors should be forced to perform outsourced code reviews, but looking at the vulnerabilities being discovered, it may be in their best interest to do so," Eiram said. "Many SCADA vendors seem to require a solid SDL [security development lifecycle program]."