Legal threat stops flaw info release
Posted by jericho
Legal threat stops flaw info release
By Jaikumar Vijayan MARCH 25, 2005 COMPUTERWORLD
A threat by Sybase Inc. to sue a U.K.-based security research firm if it publicly discloses the details of eight holes it found in Sybase’s database software last year is evoking sharp criticism from some IT managers but sympathetic comments from others.
Blocking the release of vulnerability information “would set a bad precedent” for the software industry, said Tim Powers, senior network administrator at Southwire Co., a Carrollton, Ga.-based maker of electrical wires and cables.
Responsible disclosure of software flaws by vulnerability researchers has “significantly improved” the security of products, Powers said. “Preventing disclosure through the threat of legal action can only hurt security,” he said.
[..]
More press on this one: Legal notice prevents flaw exposure Sybase to Security Researchers: Stay Quiet or We’ll Sue
The Register (courtesy SecurityFocus.com, whose site appears to be down) has a follow-up that indicated Sybase was going to drop the threats. Since NGS published the details, I guess it’s true.
The article also contains information on a number of other legal cases.
Sybase invokes licence gag in flaw disclosure row