The ongoing battle between researchers and vendors over the public disclosure of security vulnerabilities in vendor products took a bizarre turn last week in a new case involving two security firms, FireEye and ERNW. In a blog post published September 10, ERNW revealed that FireEye had obtained a court injunction to prevent its researchers from publicly disclosing certain information around three vulnerabilities they discovered in a security product made by FireEye.
Although FireEye agreed that ERNW could disclose the vulnerabilities themselves in a report they planned to publish and present at a conference, the firm took issue with the amount of information the researchers planned to reveal—information ERNW says was required to fully understand the context for the vulnerabilities, but that FireEye says was proprietary source code and would have exposed its product and customers to risk.
The FireEye case is unique because it’s a face off between two security firms, both of whom understand the importance that security research plays in securing computer users. FireEye says it saw legal action as the only way to protect its interests and its customers.
Enno Rey, founder of ERNW, wrote a lengthy blog post describing his disappointment in how FireEye strong-armed them with a legal threat. “I don’t think [legal action is] appropriate in this specific case, I don’t think it’s appropriate in the vast majority of other cases of responsible disclosure and I think it eventually sends the wrong signal to the research community,” he wrote. Others in the security community agree with him.