DISQUS

Matasano Chargen: BMC Response To ZDI: It’s Magically Litigious!

  • Terri Forslof · 2 years ago
    We were indeed very dismayed by BMC's decision not to work cooperatively with us or other members of the security research community.

    One needs only to look at the hard lessons learned by some of the other vendors on this front, to know that this stance is probably not in the best interest of BMC or their customers.

    Additionally, it puts the ZDI program in an uncomfortable position- where in the absence of cooperation from the vendor, we can only resort to our published policy for dealing with an uncooperative vendor which states:
    http://www.zerodayinitiative.com/legal.html

    "If a vendor fails to acknowledge 3Com's initial notification within five business days, 3Com will initiate a second formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, 3Com may rely on an intermediary to try to establish contact with the vendor. If 3Com exhausts all reasonable means in order to contact a vendor, then 3Com may issue a public advisory disclosing its findings fifteen business days after the initial contact."

    Sadly, in many cases it may be likely that a patch is not yet available for the issue and those customers would be put at risk for no reason other than this vendor not being willing to recognize the value of independent security research and those who wish to handle that information responsibly.
  • Robert Moir · 2 years ago
    As an actual BMC customer I have to say this concerns me greatly. I'd like to think that any vulnerabilities in software my employer has spent a lot of money purchasing would be investigated fully no matter where and how the problem was notified.

    This will certainly have me thinking about whether or not to go with them in the future.
  • Douglas Farbs · 2 years ago
    Are you serious? Are we night fighting terrorists all over the world or what? This is just another form of terrorism by “independent security firms” So let me see if I really understand this. Some HACK wishing to make a buck steals software and hacks and reverse engineers it. Then terrorizes and extorts money from that company to find out what the HACKER has discovered? Is this independent security research? Sounds like bribery to me. Do you think that there is a software company on the planet that produces bug free code? Do I have this wrong? Tell me that “independent security firms” do their research for free?
  • Thomas Ptacek · 2 years ago
    Crazy person, can I ask how you found our blog?
  • Thomas Ptacek · 2 years ago
    Robert: we've looked at, well, a number of systems "like this". Virtually all of that work is under NDA. But I agree, you should be concerned about this whole space of products. Check this out, if you haven't already:

    http://www.matasano.com/log/agents-talk