Sybase has withdrawn its legal threat against UK bug-hunting firm over the contents of a software vulnerability disclosure.
Sybase and Next Generation Security Software issued a joint statement [pdf] about a series of security holes that NGS found in Sybase's Adaptive Server Enterprise database last year. The companies pointed users to a technical advisory posted by NGS and to information on Sybase's website about fixes that were released in February.
Two weeks earlier, NGS dropped plans to publicly release details of the database flaws after Sybase warned that it would take legal action if it went ahead with the disclosure. Sybase said the warning was motivated by concern for the security of Sybase ASE users.
Sherief Hammad, a founding director of NGS, said the research firm agreed to let its vulnerability advisory be edited by Sybase officials after hearing about their concerns. "We managed to word the advisory in such a way that we felt we had enough details for it to be worthwhile to the public and Sybase felt it had limited ability to be exploited," Hammad said. "At the end of the day, it was a fairly amicable agreement."
Sybase's edits were marginal and didn't alter the meaning of the original content in any way, Hammad said. As part of the deal with Sybase, "there was no agreement that they will get this privileged process every time," he noted.
Hammad added that NGS doesn't plan to revise its vulnerability disclosure policies as a result of the incident. NGS officials said they initially disclose the existence of flaws only to the affected software vendors and then wait for patches to be released before going public with the details.
Kathleen Schaub, vice president of marketing at Sybase, said the whole affair stemmed from a misinterpretation of the software vendor's motives on the part of NGS. "From our standpoint, it was a miscommunication," Schaub said. "As soon as we started the dialogue, they realised, and we agreed, that they could publish what they felt they needed to."
Sybase is evaluating whether it needs to set a formal policy for dealing with vulnerability researchers, Schaub said. But she added that the software vendor "will work more proactively and more cooperatively" with researchers in the future.