, SecurityFocus 2005-04-05
Database maker Sybase dropped legal threats against a U.K.-based security company this week, allowing the company to publish details on six flaws on Tuesday.The agreement between Sybase and Next-Generation Security Software comes after a two-week dispute over whether the security firm could publish additional details of six flaws it had found last year in the database maker's products. NGSSoftware had been scheduled to released its detailed advisories on March 22.
"Sybase constantly strives to improve the security and functionality of our software," Herman Li, vice president of engineering for Sybase said in a statement posted late Monday. "We thank NGS Software for bringing these vulnerabilities to our attention, and are pleased that we were able to work together to communicate the vulnerabilities in a way that further reduces risk."
Despite the final--and favorable--resolution, attorneys and software-security experts warn that the recent legal attacks on vulnerability researchers could signal a resurgence of corporate interest in using the law to silence critical software reports.
Last month, a French court levied a 5,000 euro ($6,500 U.S.) fine against a part-time security researcher, Guillaume Tena, on intellectual property violations stemming from the researcher's analysis of an antivirus company's software. While the French court suspended Tena's fine and Sybase has resolved its dispute with NGSSoftware, the companies' moves highlight the legal minefield of which vulnerability researchers have to increasingly be wary, said Jennifer Granick, executive director for Stanford Law School's Center for Internet and Society.
"Researchers feel that software companies have so many different legal options--if they want to come after (the researchers), there are so many ways they can," she said. "The choice over whether they want to do their job now comes with more risk."
While many firms have seemingly been content to work with vulnerability researchers in recent years, following the passage of the Digital Millennium Copyright Act (DMCA), several software makers attempted to use the law against researchers who published flaw details against the developer's wishes.
Failed, but chilling, legal tactics
Almost four years ago, multimedia software maker Adobe helped authorities bring charges against a programmer for Moscow-based ElcomSoft for his part in the creation of a program that exploited flaws in Adobe's e-book format. In July 2002, technology giant Hewlett-Packard sent legal notices to researchers at Secure Network Operations after one flaw finder posted details of a vulnerability in the company's Tru64 operating system. And e-mail service provider Tornado Development succeeded in helping prosecutors obtain a guilty verdict against a former employee, Bret McDanel, which resulted in a 16-month prison sentence.
In each case, the security researchers involved won out, eventually. ElcomSoft and its employee, Dmitry Sklyarov, were exonerated, HP backed off its charges against SNOSoft, and McDanel was declared innocent on appeal, but only after serving out a 16-month sentence in prison.
While the U.S. Department of Justice backed away from the arguments used against McDanel, the government still reserved the right to go after people who put information in the public domain with the intent that it be used for a crime, said Granick.
"That makes people worried about these forums and being held responsible for the actions of their listeners," she said. Granick recently published a paper in International Journal of Communications Law and Policy arguing that vulnerability disclosure is an important quality check on software.
Sybase's warnings to NGSSoftware focused on a more controversial legal tactic: Exercising the "no publishing benchmarks" clause commonly included in the shrink wrap license accompanying most software.
NGSSoftware's policy is to report flaws to the software maker and release a general advisory when that company releases its patch, followed by more detailed advisories three months later. Sybase allowed the company to publish general information on the flaws it found in Sybase's Adaptive Server Enterprise (ASE) database software, but warned that if the company released more detailed information, it would consider it a breach of the software license agreement.
"Sybase does not consent to the disclosure of the vulnerabilities and will consider such disclosure a material breach of the ASE Developer Edition's license agreement," the company stated in the letter sent to NGSSoftware.
The company could not be reached for comment on vulnerability disclosure issues, but in a previous statement, the firm voiced concerns that too much detail in a vulnerability advisory could hurt its clients.
Sybase is not the first company to threaten legal actions against vulnerability researchers based on perceived violations of the terms of the software license agreement. Still, the legal basis under which software companies attempt to enforce no-benchmarking and no-reverse-engineering clauses is not clear, according to an analysis of reverse engineering written by two professors at the University of California at Berkeley and published in the Yale Law Review in April 2002.
"The enforceability of such restrictions has been a highly contentious legal issue both in the U.S. and abroad," Pamela Samuelson, professor of law and information management, and Suzanne Scotchmer, professor of economics and public policy, wrote in the paper.
The future may find that such contracts have more force, however. Since the provisions that concern security researchers, do not apply to the average consumers, the lion's share of a software maker's market will not be worried about the stipulations, said Stanford's Granick.
"The problem with contractual arguments is that people can waive all sorts of rights in a contract," she said. "And these mass-market contracts waive a lot of rights that hurt security."
Increasingly, security researchers are quick to condemn the practice, emphasizing that vulnerability advisories act to inform consumers about the safety of software products.
"To use a software license agreement essentially as a gag order to prevent people from disclosing information on a vulnerable product is a horrible way to do business," said Mark Rasch, chief security counsel of security firm Solutionary.
"This is the kind of activity you want to reward," he said. "If you don't, then they will post it anyway--anonymously on blogs."