Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



SCADA Vendor Bashed Over “Pathetic” Bug Bounty Program

A SCADA software vendor announced a vulnerability bounty program with a twist: instead of paying researchers for bugs, it will offer points that can be redeemed towards buying licensed copies of the company’s software.

A SCADA software vendor announced a vulnerability bounty program with a twist: instead of paying researchers for bugs, it will offer points that can be redeemed towards buying licensed copies of the company’s software.

“This non-monetary bug bounty program is part of our effort to make IntegraXor SCADA more secure, safe and stable,” IntegraXor said in a blog post on its Website.

The value of the rewards range between $149 and $3,999, depending on how the licenses are sold, the company said. Researchers will earn different amounts of points depending on the severity of the bug they reported. “If you are not an IntegraXor SCADA user, then you are allowed to resell the reward point in our forum or anywhere else,” the company said.

SCADA Bug Bounty ProgramThere have been numerous reports of serious vulnerabilities in supervisory control and data acquisition systems over the past few years. These industrial control systems are found in a number of environments, such as manufacturing plants, utilities, and transportation systems. Most of the vulnerabilities have to do with poor authentication schemes and the fact they weren’t originally designed to be on the network in the first place.

Fixing the issues have been notoriously a slow process, as vendors have not typically released patches in a timely manner. It’s also challenging to take systems offline for maintenance since they are generally used in critical environments where systems can’t be turned off. Even so, some vendors have started taking vulnerability disclosures seriously and started working with the research community to identify and repair some of the issues.

In the case of IntregraXor’s bug bounty program, however, critics blasted the company for implementing a rewards program that provided no incentives for researchers to participate. The fact that points can be redeemed only to buy software from the same vendor will encourage researchers to not bother looking at the software, or sell interesting bugs on the open market.

“The kind of people who have the skills to find the really important bugs are not going to be interested in a free license or two,” Chris Soghoian, a well-known privacy researcher currently working with the American Civil Liberties Union, told SecurityWeek. “If this company wants to encourage researchers to come to them with exploitable vulnerabilities, they should follow the lead of companies like Facebook, Google and now Microsoft too: offer cash,” he said.

On Twitter, Soghoian called the program, “pathetic.”

Advertisement. Scroll to continue reading.

Under the terms of the program, researchers who find vulnerabilities must disclose the issue directly to the company and not through a third-party. The disclosure must include a complete list of steps taken to reproduce the bug, or a proof-of-concept, according to the post. Researchers are also warned to download and setup their own testing environment, and not to attempt to access production or other systems.

The company is only interested in vulnerabilities affecting the IGX SCADA system, especially those that affect the integrity of data linked to external devices, particularly tag data, according to the post. Issues found in the beta, release candidate, or out-of-date IntegraXor server/editor, browsers, and plugins will not be accepted by the program.

The company will also not consider physical attacks or issues that arise from unexpected usage. Vulnerabilities found in how third-party libraries, external devices, and other products communicate with Integraxor’s devices will not be considered. The issues are not within the company’s control. However, researchers would still get some credit for some of these disclosures since the company would know which third-party products are risky to use. The program will accept only “practical issues,” according to the post.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...