FireEye takes security firm to court over vulnerability disclosure - cashhincir

A spat between two security companies shows just how sensitive reporting software vulnerabilities give the axe be, particularly when it involves a popular product.

The kerfuffle between FireEye and ERNW, a consultancy in Germany, started after an ERNW researcher found five software flaws in FireEye's Malware Protection System (MPS) early this yr.

One of the flaws, recovered by research worker Felix Wilhelm, could be exploited to gain access code to the host system, according to an advisory published by ERNW.

Atomic number 3 is customary in the industry, ERNW contacted FireEye in early April with details of the problems.

ERNW planned to release an advisory after a 90-day disclosure period, wrote the companion's founder, Enno Rey, in a web log post Thursday. But in the succeeding hardly a months, relations between the two companies became strained.

FireEye, which reviewed ERNW's planned telling, contended IT restrained overmuch technical detail about the inner workings of its MPS intersection, Rey wrote.

Although ERNW felt the detail was needed to sympathize how the vulnerabilities posed a danger, the company removed them from its informative, Rey wrote.

In a face-to-face meeting in Las Vegas along Aug. 5, Ray wrote that it appeared the two companies had reached a consensus on a draft of the disclosure written document.

But about a day later, FireEye transmitted ERNW a cease-and-desist letter, which focused happening the disclosure of the company's intellectual property, Rey wrote. The letter contended that no consensus had been reached between the parties the day in front.

Before ERNW responded in writing, FireEye obtained an injunction on Aug. 13 from a district motor hotel in Hamburg.

Wilhelm bestowed his findings on Thursday at the 44CON conference in London. He has published his slide embellish, but approximately information relating to FireEye's technology has been redacted in monastic order to comply with the injunction.

Screenshot

A slide from ERNW investigator Felix Wilhelm's presentation for the 44CON conference in London was redacted systematic to comply with a German court's injunction.

Escalating the interest court was out of the blue considering IT appeared on Aug. 5 that the companies had reached a solution, Rey wrote.

"We can only meditate what the intentions are from their root," he wrote. "In the main, we consider it an inappropriate strategy to process researchers responsibly coverage security measures vulnerabilities."

FireEye had no intention to block ERNW from discussing the vulnerabilities publicly, wrote the company's vice president for ball-shaped communications, Vitor C. De Souza, in an netmail.

Simply "we were non willing to expose whatsoever of the branded info that would order our business and customers at risk," he wrote. "Under German law, they were also not allowed to release intellectual property that was non theirs."

FireEye issued a notice describing the vulnerabilities, which it patched some time ago, connected Sept. 8. Although it is customary to let in a timeline from when a vendor is notified to when patches were issued, FireEye's observation doesn't bear unmatchable.

Source: https://www.pcworld.com/article/423528/fireeye-takes-security-firm-to-court-over-vulnerability-disclosure.html

Posted by: cashhincir.blogspot.com

Share this post