Games maker not suing over bug alert

Epic Games, maker of the Unreal Tournament series of virtual-world shooting games, denies reports that it considered filing a lawsuit against a security company that found holes in its products.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Epic Games, maker of the Unreal Tournament series of virtual world shooting games, on Tuesday denied reports that it considered filing a lawsuit against a security company that found holes in its products.

The reports began when TechTV.com quoted Epic Games Vice President Mark Rein as saying that several comments made by security firm PivX Solutions were "slanderous" and that Epic would consult with its lawyers.

To the contrary, Epic Games is satisfied with how the security firm handled the issue, Tim Sweeney, president and founder of Epic Games said in an interview with CNET News.com.

PivX "found some security problems and we took way too long to get on them," Sweeney said. "We are not going to sue anyone for finding flaws in our products."

A week ago, PivX released an advisory outlining several problems with games based on the Unreal Engine--Epic's core software for creating the player games--that could allow an attacker to use Unreal servers to attack other computers with a flood of data, or for the worst flaw, take over a computer running the games.

At the time, Epic didn't have a patch available; the programmer who had responsibility for producing a fix dropped the ball, Rein said in an earlier interview.

Sweeney added that such hiccups should be expected of a company handling its first security incident. "This is the procedure that I think companies go through when faced with a security flaw for the first time," he said. "We are definitely establishing standard procedures for handling such flaws in the future."

PivX had originally notified Epic of the issues in November. With such security issues, emerging standard practices in the security community dictate that the software maker be given a month to create a patch for the vulnerabilities.

When the 30 days stretched out to almost three months, PivX criticized Epic, calling them unresponsive.

"Epic and its employees engaged PivX and its researchers in a variable game of 'cat and mouse' over the course of three months prior to this release," PivX's chief hacking officer Geoff Shively said a week ago in a statement announcing the flaw.

Epic, for its part, said the delays were due to inexperience. However, Rein's comments, as reported by TechTV, raised the stakes in what had been a mild war of words between the two companies.

In the past, companies whose products had been found to be vulnerable have only occasionally threatened hackers and security researchers with lawsuits. For example, last summer, Hewlett-Packard made legal noises when a group of hackers-cum-security-researchers released vulnerability information before the company had a patch ready.

On Tuesday, Thor Larholm, a senior security researcher with PivX, fired back at the comments by Rein by sending an e-mail to the popular Bugtraq security mailing list.

"I have received better nonresponsive treatment by Microsoft when their security handling was at its worst," he wrote in the e-mail. "Contrary to the vast improvements that Microsoft has gone through over the last year and a half, Epic Games did not even start to acknowledge the problem properly before a full public disclosure had been made on February 5."

In a separate e-mail to News.com, Larholm said he had received e-mail from Epic's Sweeney explaining the situation and that PivX was satisfied with the response.