Legal Threats and Vulnerability Disclosures
One company says consumers have a right to know about software vulnerabilities. Another wants to protect their proprietary source code.
Two security firms, ERNW and FireEye, are at odds with each other over disclosing vulnerabilities. ERNW reported that FireEye got a court injunction against them to keep ERNW's researchers from disclosing information about vulnerabilities they found in FireEye software. They argue that the information is required to explain the vulnerability. FireEye says disclosing the information could put their users at risk.
The founder of ERNW, Enno Rey, published a blog article lamenting the use of legal action to keep them from disclosing what they saw as important information. Many in the security community are on ERNW's side about it.
The debate between security researchers and vendors in disclosing vulnerability information is not a new one. Cisco threatened a researcher with an injuction and a lawsuit a decade ago. A few years later, Boston's subway officials got an injunction against three MIT students who found vulnerabilities in the payment systems. What sets this case apart, though, is that the case is that it pits two security firms against each other and that both have a pretty thorough understanding of the importance of security research. FireEye, in fact, has published its own findings on vulnerabilities, including a recent one on Android fingerprint scanner vulnerabilities.
For its part, FireEye says they're okay with the vulnerabilities in their software being disclosed, but not the in-depth information. They say that they are no strangers to negotiating the release of such information, but did not feel comfortable with the amount ERNW wanted to publish. They say they tried talking with them about it, but the negotiations weren't going anyway, which promoted the injunction.