Fix flawed software, don't gag the researcher

Fix flawed software, don't gag the researcher

Summary: If you ran a software company and an independent security researcher contacted you with proof that your product contains security vulnerabilities, how would you react?Over the past 18 months I have come across three very prominent cases where security researchers have been ignored, gagged and even called terrorists, by vendors.

SHARE:
TOPICS: Symantec, Security
1

If you ran a software company and an independent security researcher contacted you with proof that your product contains security vulnerabilities, how would you react?

Over the past 18 months I have come across three very prominent cases where security researchers have been ignored, gagged and even called terrorists, by vendors.

I guess it isn't very surprising really. No company would want its customers to know that the security product it sold them is not actually very secure at all.

This week I have written a couple of articles about Guillaume Tena, a French security researcher who violated French copyright laws when he published exploit codes and other technical information about Tegam's Viguard anti-virus product.

Tena said that despite numerous attempts contacting Tegam about the problem, he was ignored, so he decided to publish his findings on his Web site.

"They never took my communications seriously... and never acknowledged that their product didn't do what it was supposed to do -- "stop every past, present, future virus without any update".

Subsequently, Tegam won the copyright case and Tena was fined 14,300 euros.

Last year, Cisco tried to gag Michael Lynn, who revealed that the networking giant's Internetworking Operating System (IOS), which provides the main platform for all the company's network hardware, contained such serious vulnerabilities that an attacker could actually damage routers and switches by exploiting them.

In late 2004, Symantec tried to fudge the findings of security researcher Dan Milisic, who discovered the that company's Norton Anti-virus application contained a script blocking feature that could not block certain scripts.

Symantec first denied the problem, then tried to fudge the issue and then finally admitted there was a problem. In the next version of Norton Anti-virus the script blocker was removed. When I questioned Symantec about this the company said it was no longer necessary because the weaknesses "have since been addressed by Microsoft".

We all know that software is complex and it will contain vulnerabilities. I believe the absolute worst thing a software developer can do when flaws are discovered is to go to ridiculous lengths in order to censor and discredit the security researcher.

The absolute best thing the company could do is hold up its hands and say: 'ok we messed up' and then very quickly and quietly fix the problem.

I hope that the next time one a sales representatives from one of these companies tries to sell you an upgrade, you will either slam the phone down in disgust, or at least use their miserable track record to negotiate a decent discount.

The only way to effectively demonstrate your disapproval is to hit them where it hurts most -- their bottom line.

Securified Risk Meter
45%

Tena's loss pushes the securified risk meter to 45 percent from 41 percent -- because while companies are fighting security researchers instead of sloppy code writers, the world of IT security is a little less safe.

Topics: Symantec, Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • Both are in the wrong

    Yes the software vendor should fix the issues. What the real issue I see is includes the following:
    1 Calling vulnerability analysis "security research" let anlone research at all.

    2 How vulnerabilities are released. Did tena do this to make the security community a better place or did he seek personal gain. You do not need to go public and state how great you are because you have found a vulnerability.

    This takes us to where vulnerabilites are now being purchased. None of this helps make us secure.

    Craig
    anonymous