Fix flawed software, don't gag the researcher
If you ran a software company and an independent security researcher contacted you with proof that your product contains security vulnerabilities, how would you react?
Over the past 18 months I have come across three very prominent cases where security researchers have been ignored, gagged and even called terrorists, by vendors.
I guess it isn't very surprising really. No company would want its customers to know that the security product it sold them is not actually very secure at all.
This week I have written a couple of articles about Guillaume Tena, a French security researcher who violated French copyright laws when he published exploit codes and other technical information about Tegam's Viguard anti-virus product.
Tena said that despite numerous attempts contacting Tegam about the problem, he was ignored, so he decided to publish his findings on his Web site.
"They never took my communications seriously... and never acknowledged that their product didn't do what it was supposed to do -- "stop every past, present, future virus without any update".
Subsequently, Tegam won the copyright case and Tena was fined 14,300 euros.
Last year, Cisco tried to gag Michael Lynn, who revealed that the networking giant's Internetworking Operating System (IOS), which provides the main platform for all the company's network hardware, contained such serious vulnerabilities that an attacker could actually damage routers and switches by exploiting them.
In late 2004, Symantec tried to fudge the findings of security researcher Dan Milisic, who discovered the that company's Norton Anti-virus application contained a script blocking feature that could not block certain scripts.
Symantec first denied the problem, then tried to fudge the issue and then finally admitted there was a problem. In the next version of Norton Anti-virus the script blocker was removed. When I questioned Symantec about this the company said it was no longer necessary because the weaknesses "have since been addressed by Microsoft".
We all know that software is complex and it will contain vulnerabilities. I believe the absolute worst thing a software developer can do when flaws are discovered is to go to ridiculous lengths in order to censor and discredit the security researcher.
The absolute best thing the company could do is hold up its hands and say: 'ok we messed up' and then very quickly and quietly fix the problem.
I hope that the next time one a sales representatives from one of these companies tries to sell you an upgrade, you will either slam the phone down in disgust, or at least use their miserable track record to negotiate a decent discount.
The only way to effectively demonstrate your disapproval is to hit them where it hurts most -- their bottom line.
Tena's loss pushes the securified risk meter to 45 percent from 41 percent -- because while companies are fighting security researchers instead of sloppy code writers, the world of IT security is a little less safe.