Slashdot Mirror
PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw (zdnet.com)
An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.
For those of us who remember introducingmonday.co.uk (now sadly no longer there) just remember "We like donkeys"
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Their job? Their job is to make money. Sometimes fixing large scale problems costs money. I guess threating with a law suit is actually closer to "doing their job" than you think.
Reputation have an impact on the job of making money. So does ethics.
Perhaps one day failing companies will pull their head out of their lawyers ass and realize that.
FTA: The Researchers first met with PwC in August about this vulnerability. The Advisory was released December 7th. September...October...November... yep. That's three full months since the initial meeting with the only correspondence given by PwC is a series of C&Ds. Not even a "Please don't disclose this yet, we need more time to fix."... I only see this as PwC are the assholes in the equation. Also, second link in the summary is the full advisory without the need for contact info.
According to the advisory itself: 19.08.2016 PwC contacted 22.08.2016 Meeting with PwC, informed them about the impact and the details of the vulnerability and responsible disclosure 05.09.2016 Asked PwC about updates and whether a patch is available 13.09.2016 Received a Cease & Desist letter from PwC lawyers 18.11.2016 Informed that 90 days have passed and ESNC is planning to release a security advisory; asked for any details PwC can share about this matter including risk, affected versions, how to obtain a patch 22.11.2016 Received another Cease & Desist letter from PwC lawyers 07.12.2016 Public disclosure
"Companies like PwC cannot grasp the concept of a earning money and behaving ethically at the same time."
You're not kidding there. I'd never heard of them but pulled up their wiki page. It's quite long. And a good half of it is dedicated to controversies and scandals. Almost all around financial fraud. How are these clowns not in prison?
It is apparently some sort of big accounting firm.
dates too hard to read; stopped trying
You wouldn't be American by any chance would you? Just to help you out I've provided a translation for you.
8/19/2016 PwC contacted
8/22/2016 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
9/5/2016 Asked PwC about updates and whether a patch is available
9/13/2016 Received a Cease & Desist letter from PwC lawyers
11/18/2016 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
11/22/2016 Received another Cease & Desist letter from PwC lawyers
12/7/12.2016 Public disclosure
I am Slashdot. Are you Slashdot as well?
Fixed it for you:
2016-8-19 PwC contacted
2016-8-22 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
2016-9-5 Asked PwC about updates and whether a patch is available
2016-9-13 Received a Cease & Desist letter from PwC lawyers
2016-11-18 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
2016-11-22 Received another Cease & Desist letter from PwC lawyers
2016-12-7 Public disclosure
Obligatory: https://xkcd.com/1179/
This is Slashdot. Really fixed it for you.
1471593600 PwC contacted
1471852800 Meeting with PwC, informed them about the impact and the details
of the vulnerability and responsible disclosure
1473062400 Asked PwC about updates and whether a patch is available
1473753600 Received a Cease & Desist letter from PwC lawyers
1479456000 Informed that 90 days have passed and ESNC is planning to
release a security advisory; asked for any details PwC can share about this
matter including risk, affected versions, how to obtain a patch
1479801600 Received another Cease & Desist letter from PwC lawyers
1481097600 Public disclosure