Vulnerability Research - German Software Company Threatens Security Researcher With Lawsuit - eWeek Security Watch | eWeek
Security Watch
SHARE
Facebook X Pinterest WhatsApp

German Software Company Threatens Security Researcher With Lawsuit

Written By
Fahmida Y. Rashid
Fahmida Y. Rashid
Apr 29, 2011
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A German software company has threatened legal action against a security researcher for privately reporting a critical vulnerability.

Lawyers from Magix AG sent “Acidgen,” an independent security researcher, a letter threatening a lawsuit for creating a proof-of-concept exploiting a security vulnerability he discovered in the vendor’s music application, Dark Reading reported on April 27.

Acidgen discovered a buffer overflow vulnerability in the Music Maker 16 music application and promptly notified Magix. After “several friendly email exchanges,” Acidgen sent a “non-harmful” proof-of-concept demonstrating how the flaw could be exploited. Acidgen said he planned to publish the vulnerability after it was patched.

Lawyers from Magix equated Acidgen’s plans to publish the proof-of-concept as extortion. A three-year-old “hacker clause” in German law forbids anyone from selling and distributing hacking tools.

“MAGIX does not appreciate that you are intending to publicly release the Exploit and to cause irreparable harm,” the letter said.

“It came out of nowhere,” Aciden told Dark Reading. He was waiting to find out when the patch would be released when the company said it was going to press charges for the exploit code. The benign code just starts up Windows calculator, according to Acidgen. He’d also offered to help the vendor with more proof-of-concepts.

“I stated and made clear that I’m not trying to extort them or make money,” Acidgen said.

Acidgen isn’t the only researcher to run afoul of the German law. Security researcher Thomas Roth was served with an injunction in January prior to Black Hat DC where he was planning to release an open source tool that used Amazon EC2 computers to crack SHA1-based passwords at high speeds. A German telecommunications firm thought Roth was going to be making money from the tool, and was illegally breaking into wireless networks.

Roth managed to clear up the misunderstanding and finally released the tool in March.

Considering that companies like Microsoft are pushing security researchers to privately disclose vulnerabilities instead of publishing to public lists like the Full Disclosure mailing list, it seems counter-intuitive to slap them with a lawsuit.
Fahmida Y. Rashid
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information