BMC Response To ZDI: It’s Magically Litigious!
Dave G. | April 20th, 2007 | Filed Under: Disclosure, Industry Punditry
Earlier this week, ZDI released a slew of vulnerabilities across a number of enterprise software vendors. And if you look at how most of the vendors responded to ZDI, you would see something like:
XXX has released an update that addresses the vulnerability. It is available at:http://update/pathtoupdate
Short, sweet and to the point… However, one vendor had a fascinating response:
BMC has provided the following statement: “[This issue] has been addressed, and a patch has been made available to our customers. A flash bulletin has been created describing the patch and will be sent to all affected customers in the next few days.BMC has a formal customer support mechanism in place to provide solutions to security issues brought to us by those who have legally licensed our software. In cases where security issues are brought to my attention by individuals/vendors who do not have legal access to our products, we will investigate their merit; however the issues will be addressed at our own discretion and according to our understanding of their severity.
Finally, please note that in the future, I will only communicate resolutions and workarounds to licensed customers who are using our software legally. For a more meaningful dialogue around these issues and to be notified of any available patches, I urge all licensed customers to use BMC’s support mechanism.”
Terri Forslof
April 20th, 2007 7:05 pmWe were indeed very dismayed by BMC’s decision not to work cooperatively with us or other members of the security research community.
One needs only to look at the hard lessons learned by some of the other vendors on this front, to know that this stance is probably not in the best interest of BMC or their customers.
Additionally, it puts the ZDI program in an uncomfortable position- where in the absence of cooperation from the vendor, we can only resort to our published policy for dealing with an uncooperative vendor which states:
http://www.zerodayinitiative.com/legal.html
“If a vendor fails to acknowledge 3Com’s initial notification within five business days, 3Com will initiate a second formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, 3Com may rely on an intermediary to try to establish contact with the vendor. If 3Com exhausts all reasonable means in order to contact a vendor, then 3Com may issue a public advisory disclosing its findings fifteen business days after the initial contact.”
Sadly, in many cases it may be likely that a patch is not yet available for the issue and those customers would be put at risk for no reason other than this vendor not being willing to recognize the value of independent security research and those who wish to handle that information responsibly.
Robert Moir
April 22nd, 2007 4:46 amAs an actual BMC customer I have to say this concerns me greatly. I’d like to think that any vulnerabilities in software my employer has spent a lot of money purchasing would be investigated fully no matter where and how the problem was notified.
This will certainly have me thinking about whether or not to go with them in the future.
"links for 2007-04-23" by Bob Plankers, The Lone Sysadmin
April 23rd, 2007 2:18 am[…] Matasano Chargen » BMC Response To ZDI: It’s Magically Litigious! Well, I guess if I get to decide, I won’t ever buy anything from BMC. […]
Douglas Farbs
April 28th, 2007 9:09 amAre you serious? Are we night fighting terrorists all over the world or what? This is just another form of terrorism by “independent security firms” So let me see if I really understand this. Some HACK wishing to make a buck steals software and hacks and reverse engineers it. Then terrorizes and extorts money from that company to find out what the HACKER has discovered? Is this independent security research? Sounds like bribery to me. Do you think that there is a software company on the planet that produces bug free code? Do I have this wrong? Tell me that “independent security firms” do their research for free?
Thomas Ptacek
April 28th, 2007 12:26 pmCrazy person, can I ask how you found our blog?
Thomas Ptacek
April 28th, 2007 12:28 pmRobert: we’ve looked at, well, a number of systems “like this”. Virtually all of that work is under NDA. But I agree, you should be concerned about this whole space of products. Check this out, if you haven’t already:
http://www.matasano.com/log/agents-talk
Leave a reply