Feeds

Software maker releases the hounds on security vuln reporter

Too late

The Power of One eBook: Top reasons to choose HP BladeSystem

Legal attack dogs for enterprise search provider Autonomy have threatened action against Secunia after the vulnerability publisher asked for information relating to a serious bug in an Autonomy product.

A series of nasty grams sent over the past week came in response to requests by Secunia researchers for information relating to security errors in Autonomy's Keyview SDK that could allow attackers to remotely execute malicious code on an end user's machine. The software is available as a stand-alone product and is also integrated into IBM's Lotus Notes and Symantec's Mail Security.

Although Autonomy appears to have patched the vulnerability some nine months ago, IBM only recently plugged the hole in various versions of its Lotus Notes products. That caught the attention of Secunia, which serves as a site of record for security vulnerabilities and, when available, patches that correct them.

According to documents posted here, a Secunia researcher emailed Autonomy asking for more details, specifically, what versions of the SDK are vulnerable and what versions are fixed by Autonomy's patch.

What followed was a letter from Autonomy's associate general counsel saying the vulnerability had already been fixed and arguing an advisory that publicly acknowledged the patch would only mislead and confuse people. It went on to threaten legal action should Secunia go ahead with an advisory.

"We demand that you withhold publication of your intended advisory (as well as any other advisory related to our products, including, without limitation any advisory related to Applix Graphics Parsing vulnerabilities) absent our prior express written consent and that you consult with us in full, and at least two weeks prior to any intended publication date, so that we may have a reasonable opportunity to resolve any issues in advance," the letter stated.

The flare-up is the latest example of the risks security researchers face when publicly exposing security bugs that potentially can have devastating effects on those using the faulty products. The biggest conflict to date came when Cisco Systems got a restraining order against researcher Michael Lynn to prevent him from discussing a flaw in one of the networking giant's routers. Oracle and Apple have also been known to have testy relationships with people criticizing the security of their products.

Autonomy's December 2 letter was followed by at least two more that warned Secunia of the consequences should it publish an advisory. Among other things, the legal broadsides threatened legal action if Autonomy determined Secunia had obtained the SDK code through illegal means.

"Rather than pursuing a letter writing campaign, suffice to say that we will not tolerate any publications regarding our company, our products, our services or our practices, which violate our intellectual property rights, or which give rise to any cause of action in equity or at law," the Autonomy attorney, Joel Scott, wrote on December 5. "While it is always our preference to resolve issues amicably, we are hopeful that you will ensure that Secunia remains in full compliance with all of its legal responsibilities and obligations, including to our customers and ourselves."

The irony is that Autonomy's missives relating to the anticipated article came three days after Secunia published this advisory about the Keyview bug. Did no one in Autonomy's legal department bother to check?

Update

After this story was published, Autonomy responded with a statement that read in part:

"When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information. When the issue continues unresolved, we regret we have to ask more forcefully. All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.