Skip to main content

Are you a legal professional? Visit our professional site

Search for legal issues
For help near (city, ZIP code or county)
Please enter a legal issue and/or a location

It's Hackers v. Hackers in Dispute Over Security Flaw Disclosures

Article Placeholder Image
By Casey C. Sullivan, Esq. on September 11, 2015 1:34 PM

The technology world is full of hackers and they're not all identity thieves, anti-adultery activists, or Chinese saboteurs. Instead, many are so-called "white hat" hackers, computer security experts who specialize in finding flaws in others' systems. These white hat hackers are an important, respected part of the computer security ecosystem.

Which is what makes a recent dispute between computer security companies so surprising. FireEye is a security firm that reports on flaws in Adobe, Apple, and Google, and provides its own malware protection products. And now it's suing a German security firm to keep it from doing essentially the same thing that FireEye does -- reporting dangerous flaws in FireEye's own products.

The Good-Guy Hackers

White hat hacking has a long tradition in the technology industry. Computer security experts who identified errors in a product would report the flaw, usually initially to the product's maker and then publicly. By finding and reporting flaws, the hackers prevent those weaknesses from persisting unnoticed and being exploited. Publicizing the flaws can allow the public to take action to protect themselves and can add extra pressure on software companies to fix the errors.

This sort of hacking doesn't operate in the shadows, either. Google pays out $1.5 million a year to white hat hackers who help find bugs in its systems. The NSA offers a certificate in "ethical hacking." These security experts often run successful firms and consultancies and are often brought in-house by the company's they hack.

Not Everyone Likes Their Errors Being Aired

But not everyone likes it when you point out their flaws. FireEye sure doesn't, even though its business is finding errors in other companies' products. Recently, a German security consultancy, ERNW, found five major flaws in FireEye's malware software, including ones which could allow backdoor access to the host system. It disclosed those flaws to FireEye, but says the company took no action, Arstechnica reports. Instead, four months later, FireEye sued ERNW in Germany to prevent it from making information about the errors public.

The suit is "generation howls of protest among security professionals," according to Ars. Enno Rey, ERNW's founder, has said that it's "an inappropriate strategy to sue researchers responsibly reporting security vulnerabilities." FireEye, for its part, is claiming that it's just looking out for its customers. It claims ERNW's proposed disclosures had included proprietary information that would "put our business and customers at risk." FireEye says the vulnerabilities were fixed in a patch this Tuesday.

Related Resources:

Find a Lawyer

More Options