Sybase Drops Gag Threat Against Security Research Co.

 
 
By Lisa Vaas  |  Posted 2005-04-05 Email Print this article Print
 
 
 
 
 
 
 

NGSS publishes an edited version of information regarding security flaws in Sybase Adaptive Server Enterprise, with Sybase's approval.

Sybase has dropped its threat of legal action and allowed a security research company to release information about previously addressed database vulnerabilities. Next Generation Security Software Ltd. on Tuesday published details of six security flaws in Sybase Adaptive Server Enterprise. NGSS initially reported the flaws—six buffer overflows and one denial of service—to Sybase Inc. last year. Sybase, based in Dublin, Calif., released an updated version of the software earlier this year and alerted customers that they should upgrade to the latest version.
NGSS, based in Surrey, England, follows a self-imposed policy of not releasing specific details of any vulnerabilities it finds until after a vendor has either fixed the problem or had ample time to do so and decided not to release a patch—usually three months.
The company intended to release details of the database flaws on March 21 of this year but slammed on the brakes after receiving a letter from Sybases legal department. The letter cited licensing policy that, it said, meant NGSS would be subject to legal action if the company went ahead with its plans to publish the details. Click here to read more about Sybases legal threat against security research company NGSS. Some members of the security community were outraged by what appeared to be Sybases attempt to gag researchers.
For their part, NGSS researchers said they were startled by the unprecedented action. "From our point of view, its pretty shocking," said Chris Anley, NGSS director. "Theres a fair bit of zero-day disclosure out there, or disclosure that includes exploit code. You could call it pretty irresponsible. … Our disclosure policy of waiting three months after to disclose details, thats pretty much the most responsible policy of security firms out there." What followed were a few weeks of back-and-forth between the big database vendor and the little security firm, Anley said. "We had a few rounds of discussions about what we were going to publish and how we were going to do it, and we finally reached a level of detail that both sides were happy with," he said. "All we wanted to do was make sure the technical information got out, and all Sybase wanted to do was make sure they had a reasonable measure of control." Kathleen Schaub, vice president of product marketing for Sybases Information Technology and Solutions group, said the fracas was essentially caused by miscommunication. "The original intention was simply to make sure that there was nothing that was being done that would actually make the situation worse for our customers," she said. "It was more of an asking for more information, more lets think about this, wait a second, this makes us a little nervous to not know whats being disclosed kind of thing," Schaub said. As soon as Sybase was alerted to the fact that miscommunication had occurred, the company got in touch with NGSS to tell the firm its real intention, she said, and to work through what would be said in the advisory. Next Page: Sybases edits were "trivial," according to NGSS.



 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel