French Researcher Fined for Releasing Exploit Code

A French security researcher is fined the equivalent of $6,700 for publishing technical details of a security flaw he found in an anti-virus software product.

A computer hobbyist who published technical details of a security flaw he found in a French anti-virus product has been fined the equivalent of $6,700 and barred from releasing any further information on the topic.

The fine against researcher Guillaume Tena was handed down in a French court on Tuesday, ending a three-year-old criminal case that prompted intense discussion in the security community.

Tena, who now works as a molecular biology researcher at Harvard Medical School, admitted to using a few bytes from the memory of his computer that was created by the anti-virus product marketed by Tegam International.

Tegam International sued for defamation, libel and counterfeiting and the case went to trial. Last January, prosecutors accused the researcher of breaching sections of Frances intellectual property laws and asked for a four-month jail sentence and fines.

When the sentence was handed down Tuesday, Tena dodged jail time but was ordered to pay a fine. Tegam International also has a civil case pending where damages in the vicinity of $1.2 million are being sought.

In an e-mail exchange with, Tena said his research simply proved false the companys marketing pitch that the anti-virus product stopped 100 percent of all past, present and future viruses.

On his Web page, Tena published technical details of how the program worked, demonstrated some security flaws and some tests with real viruses. Contrary to the Tegam Internationals advertising claims, Tena argued that the software did not detect and block "100 percent of viruses."

The company said it decided to sue Tena after putting up with "four years of repetitive insults against the company, its product and its staff."

/zimages/2/28571.gifClick here to read about the ongoing debate over responsible disclosure of security flaw warnings.

"He has not been sued for his supposed search for security breaches, but for what he has really done: denigrated, insulted and impinged upon copyright, none of which contributes anything to a software test," the company said in statement posted on its Web site.

"Tegam International encourages users to look for breaches and to provide feedback concerning its products. Notably, our staff participated in BlackHat and Virus Bulletin in the framework of research on attack methods."

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.