2016-02-01 - Issue discovered to affect Kaa
2016-02-08 - Submitted to ZDI for consideration, case bmartin008
2016-02-10 - ZDI declines, as they are "not interested in vulnerabilities affecting this product"
2016-02-10 - Use Kaa inquiry form to ask preferred way for vuln reporting, no response
2016-02-14 - Ask @KaaIoT on Twitter for preferred way of vuln reporting, no response
2016-02-17 - Opened KAA-866 via their JIRA to ask for preferred way of vuln reporting, no response
2016-03-01 - Sales mail from Vendor asking for feedback on platform
2016-03-01 - Replied to sales mail asking for security contact
2016-03-02 - CTO of CyberVision replies, asking for details
2016-03-02 - Tenable sends over writeup with PoCs
2016-04-20 - Ping vendor for update
2016-05-17 - Ping vendor for update
2016-06-22 - Ping vendor for update
2016-07-20 - Ping vendor for update
2016-08-18 - Ping vendor for update, remind them it's been 5 months since we heard from them.
2016-09-20 - Ping vendor, remind them that we can disclose at any time if we feel it is in the best interest of customers.
2016-10-19 - Left comment on KAA-866 with timeline and asking for some form of acknowledgement.
2016-11-20 - KAA JIRA Administrator deletes KAA-866 without comment.
2016-11-24 - Send timeline and vuln details to ICS-CERT via
[email protected], ask for help with vendor and put them on 45 day clock
2016-11-29 - Ping ICS-CERT to confirm receipt, ask for tracking ID assignment
2016-11-30 - ICS-CERT acks mail, assigns ICS-VU-021384
2017-02-27 - Ping ICS-CERT, ask them to follow 45 day disclosure policy and publish.
2017-02-28 - ICS-CERT wants to involve their leadership and continue to pursue coordination
2017-03-07 - ICS-CERT says their leadership has been on travel, escalating today
2017-03-07 - ICS-CERT confirms they have tried to contact vendor 12 times at this point, with a single response
2017-03-23 - ICS-CERT says they are almost ready to publish, has a couple questions.
2017-03-23 - Tenable provides answers and revised write-up.
2017-04-26 - ICS-CERT says draft advisory ready, sent to OPA (Office of Public Affairs), vendor, and us for review, tentative release date May 2.
2017-05-02 - ICS-CERT publishes ICSA-17-122-02