Slashdot Mirror

← Back to Stories (view on slashdot.org)

PwC Sends Legal Threats To Researchers Who Found Critical Security Flaw (zdnet.com)

Posted by BeauHD on from the cease-and-desist dept.

An anonymous reader quotes a report from ZDNet: A security research firm has released details of a "critical" flaw in a security tool, despite being threatened with legal threats. The advisory said that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," which could result in "fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money." An attacker could also add a backdoor to the affected server, the advisory said. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published. Three days later, the corporate giant responded with legal threats. A portion of the cease-and-desist letter, seen by ZDNet, said that PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software. The researchers told PwC that they would publicly disclose their findings once the three-month window expires, which is in line with industry standard disclosure practices. That was when PwC hit the security firm with a second cease-and-desist letter. Undeterred, the researchers released a security advisory a little over two weeks later.

4 of 188 comments (clear)

  1. Since when... by Anonymous Coward · · Score: 2, Interesting

    ...are laywers cheaper than developers?

    Or is the Higher Management unable to think in any other way because they are only laywers themselves??

    1. Re:Since when... by haruchai · · Score: 4, Interesting

      ...are laywers cheaper than developers?

      Or is the Higher Management unable to think in any other way because they are only laywers themselves??

      I worked for a tech firm that was run by a lawyer; when the shit hit the fan during the dotcom meltdown, we found out the only ass that was covered was his.
      While we were scrambling to find new jobs & pay bills, he went off to head up some board filled with other cunts like himself

      --
      Pain is merely failure leaving the body
  2. Streisand effect by TheReaperD · · Score: 5, Interesting

    Well this company completely missed the memo regarding the Streisand effect. This company obviously thought that using lawyers and burying the truth was cheaper than fixing the problem. Now, not only will they have to fix the problem, their users will be aware of the fact that the company tried to hide it from the users of the software. Talk about damage of trust. This company may also get hammered in court with anti-SLAPP penalties from the company they were threatening. Hopefully, this ends up being a very costly bout of stupidity making the company think twice about doing it again.

    --
    "Be particularly skeptical when presented with evidence confirming what you already believe." -
  3. What really sucks is... by Last_Available_Usern · · Score: 4, Interesting

    There is probably a conscientious developer that wanted to work on this the day it was discovered but the company thought the cheaper track was to bury it, and now he's probably going to be fired and implicated as the reason the bug existed, or worse, wasn't patched.