Core Technologies outs Citect to Associated Press-- is this ethical?

June 11, 2008
As I posted over on Joe Weiss' blog Unfettered, Core Technologies "reported exclusively" to the Associated Press about a buffer overflow vulnerability they found in CitectSCADA. The flaw is repaired, although, once again Core insists that it was "five months" before Citect responded to their notification. They made the same charge against Wonderware a month or so ago...but they didn't...
As I posted over on Joe Weiss' blog Unfettered, Core Technologies "reported exclusively" to the Associated Press about a buffer overflow vulnerability they found in CitectSCADA. The flaw is repaired, although, once again Core insists that it was "five months" before Citect responded to their notification. They made the same charge against Wonderware a month or so ago...but they didn't ever say how they had tried to contact WW or Citect-- sending emails to "info@..." probably won't get there. My continuing problem with this is that I don't think what Core (and the other security companies that gain visibility, advertising, street cred, and whatever else they want in support of additional business) is doing is ethical. Encouraging somebody to exploit a previously unknown (and according to Core, unexploited) vulnerability in Critical Infrastructure seems to me to be a dangerous, and potentially deadly practice. That's what Core is doing-- and they are doing it to advertise their services as a security consultant. If I did that to gain more readership, I'd have people correctly questioning my ethics, you bet.  Walt

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.