
FireEye Scolded for Injunction to Stop Security Researcher Revealing Source Code - jessaustin
http://www.forbes.com/sites/thomasbrewster/2015/09/10/fireeye-slammed-over-injunction/
======
david_shaw
This certainly isn't the first time a company has stifled publications
pointing out flaws in its product. It's important to note that the reason many
people in the security community are so upset is that FireEye, as a security
company, "should know better."

The common best practice for security researchers is, when a vulnerability is
discovered, to contact the organization with the vulnerable product, give them
a set amount of time to fix/patch the issue (usually 60 or 90 days), and then
release the vulnerability to the public after that amount of time has passed.
Many people feel that this system holds organizations accountable, and makes
it so that they can't simply ignore the issue -- without being punitive to the
product and its users.

While people can certainly have different opinions on how FireEye is
perceived, it's absolutely a major player in the security industry. For an
organization such as that to stifle researchers is very surprising to many
people in the community.

~~~
kiliancs
Still, if the researcher releases IP together with the vulnerability, it seems
legitimate for the IP owner to defend itself.

~~~
david_shaw
Yeah, I agree with you -- and that's where the conflicting messages seem to
start.

FireEye claims that they don't take issue with the vulnerability disclosure,
just the IP publication; meanwhile, ERNW claims that they promised not to
release any IP without FireEye approval, and that they never intended to
release anything that would relate to IP.

It's a weird situation.

------
kiliancs
Followup: [http://www.insinuator.net/2015/09/sending-mixed-signals-
what...](http://www.insinuator.net/2015/09/sending-mixed-signals-what-can-
happen-in-the-course-of-vulnerability-disclosure/)

~~~
hga
HN topic for that:
[https://news.ycombinator.com/item?id=10206083](https://news.ycombinator.com/item?id=10206083)

