The following is an e-mail I received from Aaron Portnoy of ExodusIntel in reply to a request of information sent at the end of June regarding its services. Note that at that time I was still a contributor of HP ZDI and I had no plans yet to start my own company. Just some interesting points in reply to http://blog.exodusintel.com/2012/11/25/what-does-a-flightless-bird-and-scada-software-have-in-common/ - he is "definitely" interested in SCADA vulnerabilities + publicly he claims to be not interested in SCADA bugs because they are "easy targets" http://aluigi.altervista.org/misc/aaron_scada1.png - he sells weaponized exploits for defensive and offensive purposes before and after the patch of the vendor http://aluigi.altervista.org/misc/aaron_exploits.png + publicly he claims to be "responsible" "As we at Exodus we responsibly report all vulnerabilities we deal with, my goal was to report any such findings for free to ICS-CERT, the group responsible for collaborating with SCADA vendors to ensure vulnerabilities are fixed." + he even criticizes who "sell the information privately to their customers", read the following e-mail I have my personal opinion on this matter, please read carefully the following e-mail and make your own considerations. ####################################################################### From: Aaron Portnoy To: Luigi Auriemma Subject: Re: info Date: Fri, 29 Jun 2012 17:27:51 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Luigi, Let me try to answer you questions (feel free to ask for clarification on any of my responses and I'll get back to you as soon as I have a minute). > - if there are less/more restrictions in the accepted software > than ZDI. for example do you accept bugs in Winamp? what about > Opera? and what about those software that has been killed by ZDI > recently? (Adobe Shockwave, RealPlayer, TrendMicro and so on) in > the FAQ you talk about "popularity" so it seems a lot wider than > ZDI First off, we want to make it clear that we encourage researchers to reach out to us prior to hunting for vulnerabilities in a target to gauge our interest. It saves the researcher potential time and effort and avoids the situation whereby we aren't interested in vulnerabilities that someone invested a lot of time into researching. The criteria for what we're interested in depends on a few things... 1. Is the software in wide-use in enterprise environments? 2. Does the vulnerability work in a default installation of the target? 3. Is the vulnerability easily exploitable? e.g. Do exploit mitigations on the target platform make exploitation of the issue so difficult that a new technique would be required to achieve code execution? 4. How likely is it that an exploit will be developed and used for the vulnerability (once patched)? 5. Are we aware of a multitude of vulnerabilities in the target, such that information regarding an additional security problem is not actionable by our clients? (RealPlayer, Shockwave, Trend Micro, HP Data Protector, Novell iPrint, Computer Associates, ...) > - are the offers similar to the recent ones of ZDI? We plan on offering more than what ZDI offered, the caveat being that we are more restrictive with regard to the quality of what we will attempt to procure. > - is the minimal PoC enough or your need tuned exploit? A minimal PoC is enough, as long as it demonstrates that code execution could be leveraged without significant effort and/or development of new techniques. > - the bugs must be highly exploitable or the minimal corruption > bugs (like doubtful exploitation) are accepted too (like with > ZDI)? The vulnerabilities we are interested in are only the ones that we believe will eventually be exploited. Theoretically exploitable bugs are of limited interest to us. > Then do you accept vulnerabilities in SCADA software? If yes what > are the vendors/products in which you are interested? ABB/Rockwell? > GE? Schneider Electric? Siemens? others even if smaller? We will definitely be interested in vulnerabilities in SCADA software, but we must rely on the submitter to provide us any information regarding the market share of the affected target. We are not interested in bugs in SCAD Devkits or SDKs, though. > What about weird things like hardware bugs? TV and so on, but in > this case it's hard to do debugging so I don't know. We aren't interested in products that won't be present in an enterprise environment. Additionally, we would only be interested in targets that are reachable from outside the internal network and whose compromise would result in escalation of privileges on the network. > I have not fully understood the following part: "Upon acceptance of > our offer you agree not to discuss or disclose information > pertaining to the reported vulnerability for 1 year following the > public disclosure of the vulnerability." Does it mean that when you > release the advisory the research must wait at least one year > before releasing his additional details? Yes, we are procuring the intellectual property and all rights to it. We release the researcher from the embargo one year from the public disclosure. We do this to protect our business model. > What you do with the bugs you buy? I mean do you resell these info > or you keep them private like ZDI? And what's the level of info you > send to your customers? First and foremost we report the vulnerability information to the affected vendors for remediation. Our income is derived from providing information about the vulnerability to our customers so that they can either defend their own networks, or incorporate the intelligence into their security offerings. > Ah, a non-javascript part of the website would be useful to > researchers who don't use js. Hah, yeah, I'm working on it :) Should be done next week sometime... Let me know if there's anything else you'd like to know. Regards, Aaron Portnoy VP of Research Exodus Intelligence http://www.exodusintel.com E-mail: aaron@exodusintel.com Twitter: @aaronportnoy On 6/29/2012 5:11 AM, Luigi Auriemma wrote: > Have you received my mail? > > --- Date: Sat, 23 Jun 2012 07:55:18 +0200 > > Hey, > > I would like to have more info about your program, moreover the > differences with ZDI considering that you know all the exact cases > I posted there (type of bugs, affected vendors and so on) and what > has been rejected recently (for example EMC SnapImage or MS Visio), > so you already know everything. > > I'm mainly interested in some things: - if there are less/more > restrictions in the accepted software than ZDI. for example do you > accept bugs in Winamp? what about Opera? and what about those > software that has been killed by ZDI recently? (Adobe Shockwave, > RealPlayer, TrendMicro and so on) in the FAQ you talk about > "popularity" so it seems a lot wider than ZDI - are the offers > similar to the recent ones of ZDI? - is the minimal PoC enough or > your need tuned exploit? - the bugs must be highly exploitable or > the minimal corruption bugs (like doubtful exploitation) are > accepted too (like with ZDI)? > > Then do you accept vulnerabilities in SCADA software? If yes what > are the vendors/products in which you are interested? ABB/Rockwell? > GE? Schneider Electric? Siemens? others even if smaller? > > What about weird things like hardware bugs? TV and so on, but in > this case it's hard to do debugging so I don't know. > > I have not fully understood the following part: "Upon acceptance of > our offer you agree not to discuss or disclose information > pertaining to the reported vulnerability for 1 year following the > public disclosure of the vulnerability." Does it mean that when you > release the advisory the research must wait at least one year > before releasing his additional details? > > What you do with the bugs you buy? I mean do you resell these info > or you keep them private like ZDI? And what's the level of info you > send to your customers? > > Ah, a non-javascript part of the website would be useful to > researchers who don't use js. > > Thanx in advance and take your time to reply :) > > > --- Luigi Auriemma http://aluigi.org > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJP7h3XAAoJEN+pCebnXllVuIEP/jS+KbTiN+Zp6sayj7AYUsPm cwYazZY6cpB0OEXLwqXvNd/dkad6GM/dtcMQaLc/zM8kSju7fqizktspQ2K2OeXZ ELMZHCf0s6xpST0Qc/tTyApvElIdj9GuqtHPonISqxcSI0XS5krTkpw/kTLdYJR9 MAXuBP6Eda7D1zSgjy4IIQLtUyPIKmSsGzmCeBWYoJEPVwUwMhdpUQzoORMw4UlS S/lO/tP3dg2Zu/HrnToJRAeVmVkn6FYPAcdnLldiofi4nFf/kMquJzHBtQJ7KuhT ZpihvZ1o8Ua2tcQUSEPiRexpt9XGb+vHoPdcFgOFOF/ui3nmMtXaKdcN681EHpWa +HJtJb5p6aXTAbcNcsq62SbaFonZNQM7kdsPI2sPxUx5bSIkROYz59pLBIduiaF1 MiJ+Z3+lwaiTmtlQA1wXa0RkevoXN8vKJU50v0zN5prxccJpiH1s0ysS0xfrPcZ2 pQWLzWh03u3edgrDvOoWlrHuc7F65hjw3kRBkN4O8dzZ1ALVqrxzKkgwihPhnv47 LhJ1Ret6FdQ6qiNsMi3VibktZ5hvff98Iw6ioGr0NRd8O1xFLVl7RKgTYTFMhsZg HrjUphdcpoSB2nOJQrP+yvZMz/mV41iObsNpvQ44PHS5VpbHPbjvGkzs/TvmtlqT 9nujUy22dM6cJBEd1jD7 =yKp1 -----END PGP SIGNATURE-----