Tech

FireEye defends researcher injunction as way to protect 'trade secrets'

An injunction against a researcher may have protected sensitive data, but will the security community view it this way?

Written by Charlie Osborne, Contributing Writer Sept. 15, 2015 at 3:12 a.m. PT

Cybersecurity firm FireEye has defended the decision to place an injunction against a researcher as the only way to protect trade secrets.

Last week, reports surfaced suggesting the cyberforensics firm attempted to prevent the public disclosure of security vulnerabilities discovered within the firm's suite of software.

Felix Wilhelm, a security researcher for ERNW GmBH, disclosed the flaw, which permitted the default use of the root account on Apache servers linked to FireEye clients. If an attacker exploited this flaw, they would be able to compromise servers, leading to data theft and control without permissions issues -- one of the worst and most critical vulnerabilities imaginable.

After disclosing the flaw to FireEye, Wilhelm was the target of an injunction awarded at a German court which prevented the researcher from discussing the vulnerability at the 44CON conference, restricting Wilhelm from fully explaining his findings.

At the time, FireEye said the injunction was put in place to "protect intellectual property [...] and trade secrets," rather than gag the researcher's vulnerability disclosure.

Despite this defense, the company faced heavy criticism due to the legal maneuver -- and this requires damage control. As a result, the company has explained its position in a blog post.

On Monday, the company said the team are "security researchers at heart," and "vulnerability notifications from the research community are a welcome complement to our own threat research."

In relation to ERNW and Wilhelm, FireEye claims the reports are "flat out wrong," and the injunction was the last resort. FireEye says the company worked with ERNW on the public disclosure of the vulnerabilities, with both firms planning a separate report on the researcher's findings.

After viewing draft material, FireEye requested the removal of "sensitive FireEye intellectual property and trade secrets" a number of times, of which the information in contention remained in ERNW's draft copies.

Featured

At the same time, ERNW published abstracts describing talks due to take place at cybersecurity conferences in both Singapore and London relating to the FireEye vulnerabilities.

"While we wanted to continue to focus only on the specifics of the vulnerabilities, at this point we were unclear whether ERNW understood our significant concerns," FireEye says.

A warning letter was then sent to the ERNW researchers asking them again to remove the "sensitive" information. ERNW refused to comply, leading to the injunction imposed by the German court.

FireEye commented:

"Injunctive relief was necessary to give FireEye the assurance that the sensitive information would not be published. The interim injunction was served on ERNW on September 2, 2015, while ERNW and FireEye continued to work on a draft of the report focused only on the vulnerabilities. We mutually agreed on a final version of the report for publication on September 8, 2015.
It is important to note that FireEye did not seek to deny ERNW from disclosing the vulnerabilities themselves. In fact, FireEye cooperated with ERNW on this matter and ultimately approved their published report on the vulnerabilities.
It is unfortunate that we could not come to an agreement with ERNW without the use of an injunction. Our commitment continues to be to our customers, and very rarely does that include using a legal outlet to ensure they remain secure."

It will be interesting to see the implications of a legal move made against a security researcher by a security firm, in any case.

Wilhelm's case is not the only FireEye flaw to hit the media in the last month. Researcher Kristian Erik Hermansen publicly disclosed a zero-day vulnerability relating to FireEye products, apparently discovered 18 months ago, complete with proof-of-concept code.

The researcher has also said three other flaws -- an authenticated user command injection zero-day flaw, an unauthenticated remote root command injection and a login bypass zero-day vulnerability -- are up for sale.

FireEye insists Hermansen's flaw "could potentially impact less than .005 percent of our customers," -- while the public disclosure may seem otherwise. Hermansen will not release his findings until FireEye agrees to set up a bug bounty program, but the company has decided against such a move, defending its position in this manner:

"We have considered a bug bounty program but as with all things, there are trade-offs that make it more complicated than simply writing a check. For example, once a program is in place, more researchers will submit potential vulnerability, drawing security and engineering resources away from their current work.
More of these submitted vulnerabilities will be false positives and once a vulnerability is discovered, how should a reward be priced? Is $10,000 an appropriate price for a vulnerability that impacts .005 percent of our customers? How can we ensure a researcher feels rewarded for his work if our perception of the impact varies?"

Read on: Microsoft raises the bar for Bug Bounty programs

ZDNet has reached out to ERNW and will update if we hear back.