A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase's database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others.
Blocking the release of vulnerability information "would set a bad precedent" for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers has "significantly improved" the security of products, Powers said. "Preventing disclosure through the threat of legal action can only hurt security," he said.
But Kim Milford, information security manager at the University of Rochester in New York, said she thinks most IT support workers would contact their software vendors directly if security patches weren't effective or couldn't be applied to systems. In such cases, "hackers tend to benefit the most from the release of technical details" about security vulnerabilities, she said.
Dublin, Calif.-based Sybase this week sent a letter to Next Generation Security Software Ltd. warning of legal consequences if it went ahead with plans to release information about the flaws it discovered in Version 12.5.3 of Sybase's Adaptive Server Enterprise (ASE) software.
Surrey, England-based NGS initially disclosed the existence of the flaws only to Sybase, which released a fully patched and updated version of the affected software last month. In line with its stated practice of first waiting for vendors to issue patches, NGS had said it would publicly release details of the flaws on Monday. It decided not to after receiving Sybase's letter.
"We were quite shocked," David Litchfield, one of the founders of NGS, said via e-mail. "They claim that looking for security bugs comes under the banner of database performance testing and benchmarking." Litchfield noted that the license agreement for the development edition of ASE prohibits publication of performance testing and benchmarking results without Sybase's permission.
In an e-mailed statement, a Sybase spokeswoman defended the company's action and said it was motivated by concern for the security of its users. "Sybase does not object to publication of the existence of (security) issues discovered in its products," the statement read. "However, the company does not believe that publication of highly specific details relating to issues is in the best interest of its customers."
The case highlights the need for more cooperation between software vendors and vulnerability researchers, said Eric Beasley, senior network manager at Baker Hill Corp., a Carmel, Ind.-based provider of application services to the banking industry.
"I think it's a very bad idea to try and squash vulnerability research because then, obviously, most (vendors) are not going to endeavor to make safer software," Beasley said. "Security through obscurity just does not work."
At the same time, though, security researchers need to work with vendors and ensure that information is disclosed only in a responsible and safe manner, Beasley said. "The two sides need to be looking at such problems together and not get into such an adversarial relationship."
Sybase's action is "abhorrent," said Russ Cooper, editor of the NTBugtraq mailing list and a senior scientist at Cybertrust Inc. in Herndon, Va. "It's equivalent to suing a whistle-blower and should not be tolerated," he said. "No extortion occurred. They were told upfront when details would be published."
Sybase's warning, though rare, isn't entirely unprecedented, said Michael Sutton, director of vulnerability research at iDefense Inc. in Reston, Va. In the past, iDefense has been threatened with similar actions by software vendors, though none has yet gone to the extent of sending a formal legal notice like Sybase did, Sutton said.
Bruce Schneier, chief technology officer at Counterpane Internet Security Inc. and a longtime advocate of public vulnerability disclosures, said the notion that bug hunters only increase security risks by unearthing and disclosing well-hidden software problems is just plain wrong.
"That is just naive," Schneier said. "Don't shoot the messenger. Just fix the problems in your software."
But Bob Bagamery, a systems support specialist at a large Canadian utility that he asked not to be named, said the threat of disclosing detailed information about vulnerabilities should be used by security researchers only "when not enough effort is being made to correct the flaw, or when the software manufacturer is trying to blow off" the issue.
"The whole concept of bug-finding simply to find bugs is fundamentally flawed," said Pete Lindstrom, an analyst at Spire Security LLC in Malvern, Pa. "Litchfield and all the other bug hunters are profiting by making the entire enterprise world miserable. It's about time someone took action to at least make them justify what they are doing."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.