A German software company has threatened legal action against a security researcher for privately reporting a critical vulnerability.
Lawyers from Magix AG sent “Acidgen,” an independent security researcher, a letter threatening a lawsuit for creating a proof-of-concept exploiting a security vulnerability he discovered in the vendor’s music application, Dark Reading reported on April 27.
Acidgen discovered a buffer overflow vulnerability in the Music Maker 16 music application and promptly notified Magix. After “several friendly email exchanges,” Acidgen sent a “non-harmful” proof-of-concept demonstrating how the flaw could be exploited. Acidgen said he planned to publish the vulnerability after it was patched.
Lawyers from Magix equated Acidgen’s plans to publish the proof-of-concept as extortion. A three-year-old “hacker clause” in German law forbids anyone from selling and distributing hacking tools.
“MAGIX does not appreciate that you are intending to publicly release the Exploit and to cause irreparable harm,” the letter said.
“It came out of nowhere,” Aciden told Dark Reading. He was waiting to find out when the patch would be released when the company said it was going to press charges for the exploit code. The benign code just starts up Windows calculator, according to Acidgen. He’d also offered to help the vendor with more proof-of-concepts.
“I stated and made clear that I’m not trying to extort them or make money,” Acidgen said.
Acidgen isn’t the only researcher to run afoul of the German law. Security researcher Thomas Roth was served with an injunction in January prior to Black Hat DC where he was planning to release an open source tool that used Amazon EC2 computers to crack SHA1-based passwords at high speeds. A German telecommunications firm thought Roth was going to be making money from the tool, and was illegally breaking into wireless networks.
Roth managed to clear up the misunderstanding and finally released the tool in March.
Considering that companies like Microsoft are pushing security researchers to privately disclose vulnerabilities instead of publishing to public lists like the Full Disclosure mailing list, it seems counter-intuitive to slap them with a lawsuit.