PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw

An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.

Re:Streisand effect

[TheReaperD]

Because only the plebs go to prison.

The cost of doing the right thing

[sinij]

This will likely going to be very expensive for the security researchers, as PricewaterhouseCoopers have deep pockets and a history of shady litigations.

Assholes like PwC is why most security researchers don't bother with responsbile disclosure. It is by far much safer to anonymously dump it to pastebin.