The 2008 Pwnie Nominee For Lamest Vendor Response

Wonderware

Response to SCADA denial of service vulnerability

CORE security reported a denial of service vulnerability in Wonderware’s SCADA software. It is no wonder that the vendor took a long time to even acknowledge the vulnerability and their response indicated total incompetence:

2008-01-30: Initial contact email sent by to Wonderware setting the estimated publication date of the advisory to February 25th.
2008-01-30: Contact email re-sent to Wonderware asking for a software security contact for Wonderware InTouch.
2008-02-06: New email sent to Wonderware asking for a response and for a software security contact for Wonderware InTouch.
2008-02-28: Core makes direct phone calls to Wonderware headquarters informing of the previous emails and requesting acknowledgment of the notification of a security vulnerability.
2008-02-29: Vendor asks for a copy of the proof of concept code used to demonstrate the vulnerability.
2008-03-03: Core sends proof-of-concept code written in Python.
2008-03-05: Vendor asks for compiler tools required to use the PoC code.
2008-03-05: Core sends a link to http://www.python.org