Sybase legal threat gags flaw finders

Vulnerability investigators at a database-security research firm scuttled plans to detail eight flaws in Sybase's corporate database product after being served with a legal notice.

U.K.-based Next-Generation Security Software, which found the flaws last year, has a policy of only releasing general information until three months after a software maker publishes its patches. The company was due to release more detailed information this week, but decided against further publication until the legal issues were resolved with Sybase.

Sybase responded that it's primary responsibility is to ensure th security of its customers, such as the federal government and corporations in the Fortune 50. "Sybase has advised NGS of its concerns about the risks to its customers," the company said in a statement.

The incident is the second time in recent months that a flaw researcher has been threatened with legal action. The courts in France found in favor of an antivirus firm in that country, which complained that a vulnerability researcher had violated its intellectual property in searching for flaws. The courts decided the researcher will be fined if he continues to publish.