Fix flawed software, don't gag the researcher

Summary:If you ran a software company and an independent security researcher contacted you with proof that your product contains security vulnerabilities, how would you react?Over the past 18 months I have come across three very prominent cases where security researchers have been ignored, gagged and even called terrorists, by vendors.

If you ran a software company and an independent security researcher contacted you with proof that your product contains security vulnerabilities, how would you react?

Over the past 18 months I have come across three very prominent cases where security researchers have been ignored, gagged and even called terrorists, by vendors.

I guess it isn't very surprising really. No company would want its customers to know that the security product it sold them is not actually very secure at all.

This week I have written a couple of articles about Guillaume Tena, a French security researcher who violated French copyright laws when he published exploit codes and other technical information about Tegam's Viguard anti-virus product.

Tena said that despite numerous attempts contacting Tegam about the problem, he was ignored, so he decided to publish his findings on his Web site.

"They never took my communications seriously... and never acknowledged that their product didn't do what it was supposed to do -- "stop every past, present, future virus without any update".

Subsequently, Tegam won the copyright case and Tena was fined 14,300 euros.

Last year, Cisco tried to gag Michael Lynn, who revealed that the networking giant's Internetworking Operating System (IOS), which provides the main platform for all the company's network hardware, contained such serious vulnerabilities that an attacker could actually damage routers and switches by exploiting them.

In late 2004, Symantec tried to fudge the findings of security researcher Dan Milisic, who discovered the that company's Norton Anti-virus application contained a script blocking feature that could not block certain scripts.

Symantec first denied the problem, then tried to fudge the issue and then finally admitted there was a problem. In the next version of Norton Anti-virus the script blocker was removed. When I questioned Symantec about this the company said it was no longer necessary because the weaknesses "have since been addressed by Microsoft".

We all know that software is complex and it will contain vulnerabilities. I believe the absolute worst thing a software developer can do when flaws are discovered is to go to ridiculous lengths in order to censor and discredit the security researcher.

The absolute best thing the company could do is hold up its hands and say: 'ok we messed up' and then very quickly and quietly fix the problem.

I hope that the next time one a sales representatives from one of these companies tries to sell you an upgrade, you will either slam the phone down in disgust, or at least use their miserable track record to negotiate a decent discount.

The only way to effectively demonstrate your disapproval is to hit them where it hurts most -- their bottom line.

Securified Risk Meter
45%

Tena's loss pushes the securified risk meter to 45 percent from 41 percent -- because while companies are fighting security researchers instead of sloppy code writers, the world of IT security is a little less safe.

Topics: Symantec, Security

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.