Cybersecurity & Standards, Government Surveillance
Lawsuits to prevent reporting vulnerabilities will chill research
Christian Science Monitor:
Companies’ lawsuits aimed at preventing public disclosures of vulnerabilities will have a chilling effect on security research, a majority of Passcode Influencers said.
Earlier this month, security firm FireEye obtained a court injunction in Germany to prevent another firm, ERNW, from releasing details about vulnerabilities its researchers found in a FireEye product. Along with a recent controversial blog post by the chief security officer of Oracle complaining about researchers who reverse engineer the company’s software (potentially in violation of its terms of service) in the name of finding bugs, this sparked a heated debate over whether protecting companies’ intellectual property should take precedent over researchers’ freedoms to alert consumers to security weaknesses.
…
“The threat of litigation often inhibits researchers from disclosing a vulnerability even to the companies that may be responsible for the vulnerability, or to companies that have unknowingly incorporated the vulnerability in their products and services. The threat of litigation may also chill information sharing within the larger research community, which negatively impacts our understanding and response to cybersecurity threats.” — Nuala O’Connor, Center for Democracy and Technology