computerwoche.de

Archiv

Sybase drops legal threat over disclosure of flaws

08.04.2005
Von 
Jaikumar Vijayan schreibt unter anderem für unsere US-Schwesterpublikation CSO Online.
Alle Posts des Autors

Sybase Inc. withdrew its legal threat against a U.K.-based bug-hunting firm after the companies reached an agreement about the contents of the software vulnerability disclosure that was at the center of the dispute.

Sybase and Next Generation Security Software Ltd. in Surrey, England, issued a joint announcement about a series of security holes that NGS found in Sybase"s Adaptive Server Enterprise database last year. The companies pointed users to a technical advisory posted by NGS and to information on Sybase"s Web site about fixes that were released in February.

Two weeks earlier, NGS dropped plans to publicly release details of the database flaws after Dublin, Calif.-based Sybase warned that it would take legal action if it went ahead with the disclosure. Sybase said the warning was motivated by concern for the security of Sybase ASE users (see story).

Sherief Hammad, a founding director of NGS, said the research firm agreed to let its vulnerability advisory be edited by Sybase officials after hearing about their concerns.

"We managed to word the advisory in such a way that we felt we had enough details for it to be worthwhile to the public and Sybase felt it had limited ability to be exploited," Hammad said. "At the end of the day, it was a fairly amicable agreement."

Sybase"s edits were marginal and didn"t alter the meaning of the original content in any way, Hammad said. As part of the deal with Sybase, "there was no agreement that they will get this privileged process every time," he noted.

Hammad added that NGS doesn"t plan to revise its vulnerability disclosure policies as a result of the incident. NGS officials said they initially disclose the existence of flaws only to the affected software vendors and then wait for patches to be released before going public with the details.

Kathleen Schaub, vice president of marketing at Sybase, said the whole affair stemmed from a misinterpretation of the software vendor"s motives on the part of NGS.

"From our standpoint, it was a miscommunication," Schaub said. "As soon as we started the dialogue, they realized, and we agreed, that they could publish what they felt they needed to."

Sybase is evaluating whether it needs to set a formal policy for dealing with vulnerability researchers, Schaub said. But she added that the software vendor "will work more proactively and more cooperatively" with researchers in the future.