FireEye obtains injunction over security firm's vulnerability disclosure

FireEye said it learned at the end of June that ERNW was planning to release findings on five now-patched vulnerabilities in FireEye’s operating system.
FireEye said it learned at the end of June that ERNW was planning to release findings on five now-patched vulnerabilities in FireEye’s operating system.

FireEye said it has obtained an injunction to prevent German security firm ERNW from revealing FireEye's intellectual property in a vulnerability disclosure; however, ERNW said that revealing such information was never its intention.

In a statement emailed to SCMagazine.com on Friday, FireEye said it learned at the end of June that ERNW was planning to release findings on five now-patched vulnerabilities in FireEye's operating system. FireEye said it took no issue with ERNW disclosing the vulnerabilities, but was concerned about certain information included in the report.

“When FireEye received the report, we found that it also contained details exposing FireEye intellectual property,” the statement said. “Since FireEye has been in touch this summer with ERNW working on fixing the vulnerabilities, we repeatedly asked ERNW to reconsider exposing our intellectual property, pointing out that this was trade secret, inappropriate and put our customers at risk.”

FireEye said “ERNW refused,” but ERNW refuted those claims.

In a Thursday post, Enno Rey, founder of ERNW, wrote that the security firm removed sensitive information on several occasions, despite feeling the information was pertinent to understanding the nature of the vulnerabilities.

Rey went on to explain that ERNW and FireEye had a seemingly successful meeting in Las Vegas in August where it appeared an agreement was reached on what should and should not be included in the final vulnerability disclosure report.

Rey said FireEye hit ERNW with an “extensive” cease-and-desist letter less than 24 hours later, and then went on to reach out to a district court reportedly in Hamburg in order to obtain an injunction, which was issued on 13 August and delivered to ERNW on 2 September.

“Let me state here that we fully understand FireEye's desire to protect their intellectual property and of course we adhere to the respective laws,” Rey wrote. “It's just: we never had the intention to violate that anyway, and we had abided by (both virtual and physical) handshake several times that nothing would be published without mutual agreement. We thought we were on the same track.”

In the end FireEye approved the final reports that disclosed the vulnerabilities – as well as put out its own summary – and ERNW was also able to present the bugs at a recent conference, albeit with certain details remaining withheld.

Sign up to our newsletters