Sybase Drops Gag Threat Against Security Research Co.

NGSS publishes an edited version of information regarding security flaws in Sybase Adaptive Server Enterprise, with Sybase's approval.

Sybase has dropped its threat of legal action and allowed a security research company to release information about previously addressed database vulnerabilities.

Next Generation Security Software Ltd. on Tuesday published details of six security flaws in Sybase Adaptive Server Enterprise.

NGSS initially reported the flaws—six buffer overflows and one denial of service—to Sybase Inc. last year. Sybase, based in Dublin, Calif., released an updated version of the software earlier this year and alerted customers that they should upgrade to the latest version.

NGSS, based in Surrey, England, follows a self-imposed policy of not releasing specific details of any vulnerabilities it finds until after a vendor has either fixed the problem or had ample time to do so and decided not to release a patch—usually three months.

The company intended to release details of the database flaws on March 21 of this year but slammed on the brakes after receiving a letter from Sybases legal department. The letter cited licensing policy that, it said, meant NGSS would be subject to legal action if the company went ahead with its plans to publish the details.

/zimages/5/28571.gifClick here to read more about Sybases legal threat against security research company NGSS.

Some members of the security community were outraged by what appeared to be Sybases attempt to gag researchers.

For their part, NGSS researchers said they were startled by the unprecedented action. "From our point of view, its pretty shocking," said Chris Anley, NGSS director. "Theres a fair bit of zero-day disclosure out there, or disclosure that includes exploit code. You could call it pretty irresponsible. … Our disclosure policy of waiting three months after to disclose details, thats pretty much the most responsible policy of security firms out there."

What followed were a few weeks of back-and-forth between the big database vendor and the little security firm, Anley said. "We had a few rounds of discussions about what we were going to publish and how we were going to do it, and we finally reached a level of detail that both sides were happy with," he said. "All we wanted to do was make sure the technical information got out, and all Sybase wanted to do was make sure they had a reasonable measure of control."

Kathleen Schaub, vice president of product marketing for Sybases Information Technology and Solutions group, said the fracas was essentially caused by miscommunication.

"The original intention was simply to make sure that there was nothing that was being done that would actually make the situation worse for our customers," she said. "It was more of an asking for more information, more lets think about this, wait a second, this makes us a little nervous to not know whats being disclosed kind of thing," Schaub said.

As soon as Sybase was alerted to the fact that miscommunication had occurred, the company got in touch with NGSS to tell the firm its real intention, she said, and to work through what would be said in the advisory.

Next Page: Sybases edits were "trivial," according to NGSS.