Feeds

Software maker releases the hounds on security vuln reporter

Too late

Build a business case: developing custom apps

Legal attack dogs for enterprise search provider Autonomy have threatened action against Secunia after the vulnerability publisher asked for information relating to a serious bug in an Autonomy product.

A series of nasty grams sent over the past week came in response to requests by Secunia researchers for information relating to security errors in Autonomy's Keyview SDK that could allow attackers to remotely execute malicious code on an end user's machine. The software is available as a stand-alone product and is also integrated into IBM's Lotus Notes and Symantec's Mail Security.

Although Autonomy appears to have patched the vulnerability some nine months ago, IBM only recently plugged the hole in various versions of its Lotus Notes products. That caught the attention of Secunia, which serves as a site of record for security vulnerabilities and, when available, patches that correct them.

According to documents posted here, a Secunia researcher emailed Autonomy asking for more details, specifically, what versions of the SDK are vulnerable and what versions are fixed by Autonomy's patch.

What followed was a letter from Autonomy's associate general counsel saying the vulnerability had already been fixed and arguing an advisory that publicly acknowledged the patch would only mislead and confuse people. It went on to threaten legal action should Secunia go ahead with an advisory.

"We demand that you withhold publication of your intended advisory (as well as any other advisory related to our products, including, without limitation any advisory related to Applix Graphics Parsing vulnerabilities) absent our prior express written consent and that you consult with us in full, and at least two weeks prior to any intended publication date, so that we may have a reasonable opportunity to resolve any issues in advance," the letter stated.

The flare-up is the latest example of the risks security researchers face when publicly exposing security bugs that potentially can have devastating effects on those using the faulty products. The biggest conflict to date came when Cisco Systems got a restraining order against researcher Michael Lynn to prevent him from discussing a flaw in one of the networking giant's routers. Oracle and Apple have also been known to have testy relationships with people criticizing the security of their products.

Autonomy's December 2 letter was followed by at least two more that warned Secunia of the consequences should it publish an advisory. Among other things, the legal broadsides threatened legal action if Autonomy determined Secunia had obtained the SDK code through illegal means.

"Rather than pursuing a letter writing campaign, suffice to say that we will not tolerate any publications regarding our company, our products, our services or our practices, which violate our intellectual property rights, or which give rise to any cause of action in equity or at law," the Autonomy attorney, Joel Scott, wrote on December 5. "While it is always our preference to resolve issues amicably, we are hopeful that you will ensure that Secunia remains in full compliance with all of its legal responsibilities and obligations, including to our customers and ourselves."

The irony is that Autonomy's missives relating to the anticipated article came three days after Secunia published this advisory about the Keyview bug. Did no one in Autonomy's legal department bother to check?

Update

After this story was published, Autonomy responded with a statement that read in part:

"When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information. When the issue continues unresolved, we regret we have to ask more forcefully. All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.