May 13, 2021 - Tenable Reports Vulnerability to Schneider
May 13, 2021 - Schneider Acknowledges report and asks for attachment to be resent using PGP encryption
May 13, 2021 - Tenable resends attachments and link to uploaded PoC video
May 26, 2021 - Schneider reports that the issue is likely a duplicate of something they are actively working on
June 2, 2021 - Schneider confirms that issue is duplicate and that they will update me with a timeline shortly.
June 2, 2021 - Tenable asks if vulnerability was reported internally or externally and if they plan on publishing a CVE
June 2, 2021 - Schneider reports that a few different entities have reported the issue externally and that a CVE will be published.
June 21, 2021 - Schneider reports that they plan to disclose on the 13th of July and asks for Tenable to share any content we are preparing to publish.
June 21, 2021 - Tenable responds that we typically do not share internal documents prior to publication.
June 24, 2021 - Tenable asks for information on patches.
June 25, 2021 - Andrew Kling, VP product security officer at Schneider Electric is looped into disclosure email chain.
June 25, 2021 - Andrew Kling tells us five total people have reported the vulnerability and again asks for blog contents to review. He also loops in Marty Edwards, VP at Tenable.
June 25, 2021 - Tenable re-explains it's full disclosure policy.
June 28, 2021 - A phone call is organized with Schneider and Tenable.
July 6, 2021 - Schneider shares their draft advisory with Tenable
July 7, 2021 - Tenable shares names of news agencies we will pitch the vulnerability to.
July 7, 2021 - Tenable shares blog draft with Schneider.
July 8, 2021 - Schneider Asks Tenable to redact technical details of blog post, to not release a demonstration video, and to not release PoC code.
July 9, 2021 - Tenable meets with Schneider again and agrees to redact details of vulnerability (going against our full disclosure policy). Schneider confirms the vulnerability will not be patched yet for several months
July 9, 2021 - Tenable learns issue was originally reported to Schneider last fall (2020)
July 13, 2021 - Tenable Releases advisory