Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Responsible disclosure, irresponsible reply

It appears that yet another large software vender has taken it upon themselves to threaten legal action against a security vulnerability researcher. Although the Cisco debacle back at the Blackhat 2005 conference (see Michael Lynn’s presentation “The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques”) was the most widely publicised legal wrangle to date, it appears that companies are still ignoring the wishes of their user base and continuing with this rather unfriendly tactic. After all, aren’t these researchers doing the job that the software vender us meant to be doing themselves ?

This time Denmark based Secunia was contacted by Autonomy Inc. with reference to a now patched vulnerability in it’s SDK. This request for more information prompted a barrage of legal messages stating that if Secunia were to post any information regarding this or any other vulnerabilities discovered in it’s software line they would be on the receiving end of legal proceedings.

Putting aside the business and marketing issues surrounding acknowledgement of a security vulnerability, comments made in the contact letter were to me at least, very naive for an established company. Autonomy Inc stated “… putting aside the availability of a fix, the real likelihood of that such a vulnerability would be exploited is minimal.” It seems that Autonomy has more interest in protecting it’s own image, than protecting the security of it’s clients. We all know that things may be unlikely to happen, but if we all thought that, then what kind of a mess would we be in. I just hope that someday companies such as this realise that the security researchers are not the enemy, they’re an ally in the battle against those that truly want to exploit the flaws. Would we rather those kind of people found the flaws first ?

For more in-depth information on the story see the Secunia blog on the issue.

Comments are closed.

%d bloggers like this: