[ISN] Legal threat stops flaw info release
isn at c4i.org
Mon Mar 28 04:59:37 EST 2005
By Jaikumar Vijayan
MARCH 25, 2005
A threat by Sybase Inc. to sue a U.K.-based security research firm if
it publicly discloses the details of eight holes it found in Sybase's
database software last year is evoking sharp criticism from some IT
managers but sympathetic comments from others.
Blocking the release of vulnerability information "would set a bad
precedent" for the software industry, said Tim Powers, senior network
administrator at Southwire Co., a Carrollton, Ga.-based maker of
electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers
has "significantly improved" the security of products, Powers said.
"Preventing disclosure through the threat of legal action can only
hurt security," he said.
But Kim Milford, information security manager at the University of
Rochester in New York, said she thinks most IT support workers would
contact their software vendors directly if security patches weren't
effective or couldn't be applied to systems. In such cases, "hackers
tend to benefit the most from the release of technical details" about
security vulnerabilities, she said.
Dublin, Calif.-based Sybase this week sent a letter to Next Generation
Security Software Ltd. warning of legal consequences if it went ahead
with plans to release information about the flaws it discovered in
Version 12.5.3 of Sybase's Adaptive Server Enterprise (ASE) software.
Surrey, England-based NGS initially disclosed the existence of the
flaws only to Sybase, which released a fully patched and updated
version of the affected software last month. In line with its stated
practice of first waiting for vendors to issue patches, NGS had said
it would publicly release details of the flaws on Monday. It decided
not to after receiving Sybase's letter.
"We were quite shocked," David Litchfield, one of the founders of NGS,
said via e-mail. "They claim that looking for security bugs comes
under the banner of database performance testing and benchmarking."
Litchfield noted that the license agreement for the development
edition of ASE prohibits publication of performance testing and
benchmarking results without Sybase's permission.
In an e-mailed statement, a Sybase spokeswoman defended the company's
action and said it was motivated by concern for the security of its
users. "Sybase does not object to publication of the existence of
[security] issues discovered in its products," the statement read.
"However, the company does not believe that publication of highly
specific details relating to issues is in the best interest of its
The case highlights the need for more cooperation between software
vendors and vulnerability researchers, said Eric Beasley, senior
network manager at Baker Hill Corp., a Carmel, Ind.-based provider of
application services to the banking industry.
"I think it's a very bad idea to try and squash vulnerability research
because then, obviously, most [vendors] are not going to endeavor to
make safer software," Beasley said. "Security through obscurity just
does not work."
At the same time, though, security researchers need to work with
vendors and ensure that information is disclosed only in a responsible
and safe manner, Beasley said. "The two sides need to be looking at
such problems together and not get into such an adversarial
Sybase's action is "abhorrent," said Russ Cooper, editor of the
NTBugtraq mailing list and a senior scientist at Cybertrust Inc. in
Herndon, Va. "It's equivalent to suing a whistle-blower and should not
be tolerated," he said. "No extortion occurred. They were told upfront
when details would be published."
Sybase's warning, though rare, isn't entirely unprecedented, said
Michael Sutton, director of vulnerability research at iDefense Inc. in
Reston, Va. In the past, iDefense has been threatened with similar
actions by software vendors, though none has yet gone to the extent of
sending a formal legal notice like Sybase did, Sutton said.
Bruce Schneier, chief technology officer at Counterpane Internet
Security Inc. and a longtime advocate of public vulnerability
disclosures, said the notion that bug hunters only increase security
risks by unearthing and disclosing well-hidden software problems is
just plain wrong.
"That is just naive," Schneier said. "Don't shoot the messenger. Just
fix the problems in your software."
But Bob Bagamery, a systems support specialist at a large Canadian
utility that he asked not to be named, said the threat of disclosing
detailed information about vulnerabilities should be used by security
researchers only "when not enough effort is being made to correct the
flaw, or when the software manufacturer is trying to blow off" the
"The whole concept of bug-finding simply to find bugs is fundamentally
flawed," said Pete Lindstrom, an analyst at Spire Security LLC in
Malvern, Pa. "Litchfield and all the other bug hunters are profiting
by making the entire enterprise world miserable. It's about time
someone took action to at least make them justify what they are
More information about the ISN