Sybase invokes licence gag in flaw disclosure row

NGSSoftware negotiations

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

Database maker Sybase will likely drop legal threats against a UK-based security company this week, allowing the company to publish details on six flaws, a source familiar with the negotiations said on Monday.

The potential agreement between Sybase and Next-Generation Security Software comes after a two-week dispute over whether the security firm could publish additional details of six flaws it had found last year in the database maker's products. NGSSoftware had been scheduled to released its detailed advisories on 22 March.

"NGSSoftware believes we have solved the issues with Sybase, and we are working on a joint announcement," said David Litchfield, managing director for the London-based NGSSoftware. Litchfield would not say more on the possible deal, since the negotiations are ongoing.

Despite the probable resolution, attorneys and software-security experts warn that the recent legal attacks on vulnerability researchers could signal a resurgence of corporate interest in using the law to silence critical software reports.

Last month, a French court levied a €5,000 ($6,500) fine against a part-time security researcher, Guillaume Tena, on intellectual property violations stemming from the researcher's analysis of an antivirus company's software. While the French court suspended Tena's fine and Sybase has likely resolve its dispute with NGSSoftware, the companies' moves highlight the legal minefield of which vulnerability researchers have to increasingly be wary, said Jennifer Granick, executive director for Stanford Law School's Center for Internet and Society.

"Researchers feel that software companies have so many different legal options - if they want to come after (the researchers), there are so many ways they can," she said. "The choice over whether they want to do their job now comes with more risk."

While many firms have seemingly been content to work with vulnerability researchers in recent years, following the passage of the Digital Millennium Copyright Act (DMCA), several software makers attempted to use the law against researchers who published flaw details against the developer's wishes.

Failed, but chilling, legal tactics

Almost four years ago, multimedia software maker Adobe helped authorities bring charges against a programmer for Moscow-based ElcomSoft for his part in the creation of a program that exploited flaws in Adobe's e-book format. In July 2002, technology giant Hewlett-Packard sent legal notices to researchers at Secure Network Operations after one flaw finder posted details of a vulnerability in the company's Tru64 operating system. And e-mail service provider Tornado Development succeeded in helping prosecutors obtain a guilty verdict against a former employee, Bret McDanel, which resulted in a 16-month prison sentence.

In each case, the security researchers involved won out, eventually. ElcomSoft and its employee, Dmitry Sklyarov, were exonerated, HP backed off its charges against SNOSoft, and McDanel was declared innocent on appeal, but only after serving out a 16-month sentence in prison.

While the US Department of Justice backed away from the arguments used against McDanel, the government still reserved the right to go after people who put information in the public domain with the intent that it be used for a crime, said Granick.

"That makes people worried about these forums and being held responsible for the actions of their listeners," she said. Granick recently published a paper in International Journal of Communications Law and Policy arguing that vulnerability disclosure is an important quality check on software.

Sybase's warnings to NGSSoftware focused on a more controversial legal tactic: Exercising the "no publishing benchmarks" clause commonly included in the shrink wrap license accompanying most software.

NGSSoftware's policy is to report flaws to the software maker and release a general advisory when that company releases its patch, followed by more detailed advisories three months later. Sybase allowed the company to publish general information on the flaws it found in Sybase's Adaptive Server Enterprise (ASE) database software, but warned that if the company released more detailed information, it would consider it a breach of the software license agreement.

"Sybase does not consent to the disclosure of the vulnerabilities and will consider such disclosure a material breach of the ASE Developer Edition's license agreement," the company stated in the letter sent to NGSSoftware.

The company could not be reached for comment on vulnerability disclosure issues, but in a previous statement, the firm voiced concerns that too much detail in a vulnerability advisory could hurt its clients.

Sybase is not the first company to threaten legal actions against vulnerability researchers based on perceived violations of the terms of the software license agreement. Still, the legal basis under which software companies attempt to enforce no-benchmarking and no-reverse-engineering clauses is not clear, according to an analysis of reverse engineering written by two professors at the University of California at Berkeley and published in the Yale Law Review in April 2002.

"The enforceability of such restrictions has been a highly contentious legal issue both in the US and abroad," Pamela Samuelson, professor of law and information management, and Suzanne Scotchmer, professor of economics and public policy, wrote in the paper.

The future may find that such contracts have more force, however. Since the provisions that concern security researchers, do not apply to the average consumers, the lion's share of a software maker's market will not be worried about the stipulations, said Stanford's Granick.

"The problem with contractual arguments is that people can waive all sorts of rights in a contract," she said. "And these mass-market contracts waive a lot of rights that hurt security."

Increasingly, security researchers are quick to condemn the practice, emphasizing that vulnerability advisories act to inform consumers about the safety of software products.

"To use a software license agreement essentially as a gag order to prevent people from disclosing information on a vulnerable product is a horrible way to do business," said Mark Rasch, chief security counsel of security firm Solutionary.

"This is the kind of activity you want to reward," he said. "If you don't, then they will post it anyway - anonymously on blogs."

Copyright © 2005, SecurityFocus logo

Related stories

French security researcher fined
Elcomsoft not guilty - DoJ retreats from Moscow
California enacts full disclosure security breach law
Show us the bugs - users want full disclosure
Security through obsolescence

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.