Sybases Edits Were Trivial
The subsequent editing was trivial, Anley said, being concerned with level of detail and language involved. "If you read the advisory, theres enough technical information for people to make a realistic assessment of the impact of the bugs to their organization, and they can work out what they want to do with them. Thats why we wanted to make sure the details were published." NGSS took care in the exchange of e-mails to ensure that evidence of mitigation made its way into the final draft of the advisory, Anley said."Realistically, one major reason administrators want details is so they can make mature assessments of what the impact is of these bugs," Anley said. "How much does it affect them? If this database is a back end for my server, what are [the bugs] vectors? How likely is it that someone can take control of my database?" Beyond that, the advisory is 95 percent of what NGSS wrote in the first place, Anley said. The agreement reached between NGSS and Sybase pertains only to the bugs in question, not to any future vulnerability discoveries, Anley said. Hence, the question remains as to the extent to which vendors will be newly emboldened when it comes to meddling with researchers. This incident could be a harbinger of a future test case in which the legality of license agreements to restrict customers ability to talk about a given product is put to the test, Anley said. On the plus side, Anley said, Sybase was open to coming to a reasonable solution. "Weve all got mortgages to pay. We dont want to be threatened by large companies, whether theyve got a case or not," he said. "I dont know what initiated the process on their side: why they thought it was a good idea. Certainly we werent going to just sit back and say, All right then, were not going to publish that. But it wasnt a hugely confrontational thing. They just wanted to find an amicable solution. At the end of the day, we both have the interests of Sybase customers at heart." For its part, Sybase intends to be a "little more proactive" in working with security firms that contact the company, Schaub said. "Frankly, this doesnt happen to us this often," she said. "There were a couple of incidents over the last couple years, but its not something we run into a whole lot." Check out eWEEK.coms for the latest database news, reviews and analysis.
Thats important to ensure that database administrators have enough information to make sound decisions about patch application, he said.