Portnoy hopes that his findings partially overlap with those of ReVuln, because unlike ReVuln, he plans to report the vulnerabilities to ICS-CERT, which will then coordinate the disclosure with the affected vendors.
He would like to see ICS-CERT create a repository of SCADA software accessible to researchers who practice responsible disclosure. Even a list of software that's most important to audit would help, he said.
"I have a problem with nondisclosure," Portnoy said. "I don't think it does the industry or the general populace any good to purposely not allow a vendor to fix vulnerabilities by withholding information, which is why we responsibly disclose all of ours."
Much like ReVuln, Exodus Intelligence sells information about unpatched vulnerabilities through a subscription-based service. However, the service is aimed at helping companies defend their systems against attacks targeting such vulnerabilities until the software vendor is able to provide a patch.
The company always notifies vendors about the flaws before sharing information about them with its customers, Portnoy said. "All our clients are under a strict contract disallowing them from doing anything externally offensive with the information, besides testing their own defensive mitigations while the vendor works on a patch."
Exodus' reports include detailed analysis of the issues, an assessment of their risks, mitigation recommendations and sometimes exploit code. "We supply exploits for these issues because we've seen a history of defensive vendors basing their output on simple proof of concepts, and that does not yield realistic protection."
Portnoy is not the only researcher who had the idea of independently finding the vulnerabilities showcased by ReVuln and reporting them to vendors.
"We have been planning to do the exact same thing at Secunia as what Aaron [Portnoy] mentions (i.e. perform internal research to attempt a partial overlap and then coordinate with the vendors and ICS-CERT)," Carsten Eiram, chief security specialist at vulnerability research firm Secunia, said Monday via email.
When asked what he thinks about ReVuln's decision to sell information about vulnerabilities without reporting them to vendors, Eiram said that he doesn't want to be the judge of what's right or wrong when it comes to disclosure policies. "However, at Secunia we do things differently," he said.
Secunia's disclosure policy is even stricter than that of Exodus Intelligence. Whenever the company's researchers find vulnerabilities, the company reports them to the affected vendors and does not share information about them with its customers or the public until they have been addressed or if communication with the vendor fails, Eiram said.
ReVuln doesn't plan to stop publishing the names of software vendors that it has vulnerabilities for, even if this will lead to efforts from other researchers to independently find the flaws and report them to the affected companies, Auriemma said. If any of the vulnerabilities offered by ReVuln through its feed service are patched by the vendor, the company will release a generic public advisory about the issue, but will not disclose any technical details publicly, he said.
Sign up for CIO Asia eNewsletters.