An advisory describing serious flaws in a software module for viewing and printing document files has become the focus of a dispute over the disclosure of software vulnerabilities, according to correspondence published by security firm Secunia on Thursday.
Autonomy -- the maker of the KeyView software development kit (SDK) which adds document-printing and viewing functionality to applications -- demanded that Secunia remove details of the flaws affecting the SDK from its public database, according to the series of letters and e-mails between the two companies and posted to Secunia's blog. Secunia published the advisory on November 29, after identifying that several previous vulnerabilities occurred in the SDK and not in third-party products that used the development kit.
Several companies -- including IBM and Symantec, the owner of SecurityFocus -- use the software development kit and have already patched flaws related to KeyView in their products. Autonomy argued that, because those flaws had already been disclosed and fixed, it should not be necessary for Secunia to publish an additional advisory.
"In this particular situation, the security issue was already identified some time ago by Autonomy and another security research firm and a fix was quickly produced and made available to customers," the company said in a statement sent to SecurityFocus. "When we believe users are going to be misled, we make every effort to ask that an organization publish full and accurate information. ... As other industry leaders do, we appreciate the efforts of security research firms and the service they perform for our customers, who are our number one priority."
Companies occasionally use legal threats against researchers and disclosure sites for outing flaws in their products. In 2005, Sybase legally hobbled Next-Generation Security Software, a research and services firm, to prevent it from releasing details of a flaw that had already been fixed. The company later allowed the release. In 2006, in an incident made murky by nondisclosure agreements and media hype, security researcher David Maynor and consumer technology maker Apple argued over the details of two wireless flaws that affected the Mac OS X as well as Windows computers.
While the disclosure debate is a perennial topic at security conferences, most companies have accepted the reports of flaws in their software products could become public.
"There are definitely a lot of companies out there that think vulnerabilities shouldn't be disclosed," Thomas Kristensen, chief technology officer for Secunia, told SecurityFocus on Friday. "There are a lot of companies that don't publish any information about vulnerabilities."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos