The ongoing battle between researchers and vendors over the public disclosure of security vulnerabilities in vendor products took a bizarre turn yesterday in a new case involving two security firms, FireEye and ENRW.

In a blog post published Thursday, ENRW revealed that FireEye had obtained a court injunction to prevent its researchers from publicly disclosing certain information around three vulnerabilities they discovered in a security product made by FireEye.

Although FireEye agreed that ENRW could disclose the vulnerabilities themselves in a report they planned to publish and present at a conference, the firm took issue with the amount of information the researchers planned to reveal—information ENRW says was required to fully understand the context for the vulnerabilities, but that FireEye says was proprietary source code and would have exposed its product and customers to risk.

FireEye says it saw legal action as the only way to protect its interests and its customers.

Enno Rey, founder of ENRW, wrote a lengthy blog post describing his disappointment in how FireEye strong-armed them with a legal threat.

“I don’t think [legal action is] appropriate in this specific case, I don’t think it’s appropriate in the vast majority of other cases of responsible disclosure and I think it eventually sends the wrong signal to the research community,” he wrote.

Others in the security community agree with him.

The battle marks a new twist in the decades-long saga over vulnerability disclosure.

There has long been tension between security researchers who uncover vulnerabilities in a software vendor’s product and the vendors who don’t want the researchers to publicly disclose these holes. In 2005, for example, technology giant Cisco hit researcher Mike Lynn with a court injunction and threat of lawsuit to prevent him from revealing information about a serious security flaw he discovered in its routers. Lynn also faced an FBI probe over his disclosure.

In 2008, Boston subway officials obtained an injunction against three MIT students to prevent them from presenting a talk about security vulnerabilities they found in payment systems used in the Massachusetts mass transit system.

But the FireEye case is unique in that it’s a face off between two security firms, both of whom understand the importance that security research plays in securing computer users. ENRW is a security consulting company based in Germany, and FireEye is a large security firm based in California that is often in the news over its investigation of security breaches. FireEye’s Mandiant forensic unit was hired by Sony last year to investigate its massive breach and has investigated most of the high-profile breaches of the last decade.

FireEye has also been on the discovery end of vulnerabilities in other vendors’ products. Last month, for example, researchers with FireEye Labs presented information about security flaws in the fingerprint scanners of Android phones (.pdf).

A FireEye spokesman told WIRED that his firm fully supported the ENRW researchers disclosing the vulnerabilities in his company’s product but tried to negotiate with them for more than a month about removing sensitive information they didn’t think was necessary for the disclosure. After failing to obtain assurances that the information would be removed, FireEye lost confidence in the negotiations.

He notes that FireEye works with a lot of researchers and vendors about security flaws, but those negotiations never involve the degree of information ENRW planned to disclose. In addition to information about the vulnerabilities, he says they also planned to disclose source code and information about the software architecture and design of FireEye’s security product.

“You’re giving attackers the upper hand, which is against responsible disclosure,” FireEye spokesman Vitor De Souza told WIRED. “When we saw what they had in their [initial] report we were like holy shit…. We had a lot of questions about how they obtained that… We deal with hundreds of researchers and we had never seen that before. What they included in their report crossed the line. No one was comfortable with that information being disclosed to the public.”

The company has posted a blog entry explaining its stance.

Roots of the Disagreement

In the two accounts involving the incident, it’s not surprising that the two companies diverge in their interpretation of what occurred. Both agree, however, on some of the basic facts.

The issue between ENRW and FireEye began in April when the German firm contacted FireEye about five vulnerabilities its researcher Felix Wilhelm had found in FireEye’s Malware Protection System version 7.5.1. FireEye says it was already aware of two of the vulnerabilities, but was happy to receive information about the other three from Wilhelm.

One of the most serious would allow an attacker to take control of the MPS appliance simply by sending two emails to any employee at a targeted company—one containing a ZIP attachment with malware and a second containing another ZIP attachment designed to trigger the malware to launch and install a backdoor on the customer’s MPS system. The attack would work even if the recipient didn’t open the initial malicious attachment or even the email in which it was sent, according to a presentation Wilhelm prepared about the vulnerabilities (.pdf). “Just transferring it is enough,” he wrote in his slides.

Over several weeks beginning in May, FireEye worked with ENRW to understand the vulnerabilities and devise fixes for the main vulnerabilities by the end of June. Some time in June, ENRW provided FireEye with a draft document of a report they planned to release about their findings, following a 90-day period to allow for the disclosure and fixing process to be completed.

FireEye objected to the extensive technical details that described the inner workings of the MPS.

“No other software company would allow their source code and design trade secrets be revealed to the public,” De Souza told WIRED.

Rey, who did not respond to WIRED’s request for comment, saw it otherwise.

“We… were of the opinion,” he wrote in his blog post, “that some level of contextual detail would be necessary to understand the nature of the vulnerabilities which in turn would subsequently serve the objective of education that is inherent to any responsible disclosure process.”

Nonetheless, Rey asserts that his researchers “removed stuff” from the document “at several occasions during this phase” and that they also complied when FireEye asked several times that they postpone publication of their report, in order to ensure that more customers were upgraded with the fixes.

De Souza maintains, however, that none of the objectionable information they had asked to be removed was deleted from subsequent versions of the report ENRW sent them. “We had multiple discussions with them throughout month of July, and in all the versions of the draft they sent they kept putting IP information in it,” he says.

So FireEye sought a face-to-face meeting to discuss the matter. All the parties met in person on August 5th at the BlackHat security conference in Las Vegas. At the end of that meeting, Rey says they had all come to an agreement about the document.

“We went through the document draft, section by section, and discussed wordings and (level of) technical details,” Rey notes in his blog post. “All three of us had the strong impression that a preliminary consensus was reached during that meeting, and a number of hands were shaken at parting. We think it was agreed upon that we would send the next, mostly final iteration in the following week.”

Rey notes that he fully understood FireEye’s desire to protect its intellectual property and “never had the intention to violate that.” He adds: “[W]e had abided by (both virtual and physical) handshake several times that nothing would be published without mutual agreement. We thought we were on the same track.”

De Souza, however, says that the FireEye team still did not feel re-assured that ENRW would remove the material. That concern was reinforced, he says, when FireEye discovered an abstract for a talk ENRW planned to give about the vulnerabilities in September at a conference in London. The abstract, which is no longer available online, said “they would reveal how the FireEye engine works,” says De Souza. FireEye had known that ENRW planned to present their findings at a later conference in Singapore in October, but the discovery that an earlier talk was also planned—that ENRW had not disclosed to them—and that it appeared the talk would contain proprietary information set FireEye over the edge.

After all of this, De Souza says, “Our confidence level that they were going to adhere [to our request to remove the information] was low. We’d been talking for nearly three months. After multiple conversations and multiple iterations [of their report], and they’re still not adhering to what we discussed.”

FireEye felt it was running out of time before the September conference, so it sent a cease-and-desist letter to ENRW within 24 hours after the Las Vegas meeting as well as a document ENRW was to sign to provide assurance that its researchers would not disclose proprietary information in their talk.

ENRW consulted with a lawyer and told FireEye they would respond to the letter by August 17. But FireEye wasn’t prepared to wait. On August 13th, the company went to court to obtain an injunction to prevent ENRW from disclosing proprietary information about the company’s product, while still allowing the researchers to publicly discuss the vulnerabilities themselves. ENRW received that injunction on September 2.

Rey insists that in the meantime ENRW had already sent a new draft of their report to FireEye on August 11 with all of the objectionable material removed. De Souza says, however, that the company never received it. He says it wasn’t until September 2, the day that ENRW received the court injunction, that ENRW finally sent a new draft of the report with the objectionable material removed.

Eventually, the company released an announcement on September 8 noting the vulnerabilities (.pdf), and giving ENRW credit for discovering them. This week Wilhelm gave his presentation at the London conference, while noting that he was prevented from disclosing some of the information he had planned to discuss, due to the injunction from FireEye.

Many people in the security community feel burned over the incident. And De Souza says he understands the displeasure with his company.

“The court order, I understand that may have rubbed them in the wrong direction, as it would to anyone who received a legal letter,” he says. In the end, though, FireEye was trying to protect its intellectual property the way any other company would.

He adds that it’s important to remember that FireEye never sought to prevent ERNW from disclosing the vulnerabilities themselves.

For his part, Rey wrote that he would “be really happy if our case contributes to evolving the understanding, procedures and maturity of vulnerability disclosure in certain circles. If nothing else it would then have been worth the effort and energy spent so far on all this.”

Go Back to Top. Skip To: Start of Article.

More here:

A Bizarre Twist in the Debate Over Vulnerability Disclosures