FireEye is a publicly traded security firm that regularly finds and reports vulnerabilities in Adobe Flash and Apple’s iOS and Google’s Android operating systems. But when security researcher Felix Wilhelm found five critical flaws in FireEye’s Malware Protection System, the company went to court to obtain an injunction barring the disclosure of some of the technical details.
The move is generating howls of protest among security professionals, who argue that FireEye of all companies should know better than to stifle the free flow of vulnerability information. They point out that ERNW, the German consultancy that found the vulnerabilities, privately notified FireEye of the findings in April, more than four months before FireEye filed court documents to prevent Wilhelm from providing technical details related to the flaws. In the future, critics argued, it would be better if researchers publicly reported their findings first rather than give private notice. On Thursday, ERNW founder Enno Rey also criticized the move.
“We can only speculate what the intentions are from their side,” Rey wrote in a blog post. “In general we consider it an inappropriate strategy to sue researchers responsibly reporting security vulnerabilities [for the protocol, without asking for money or anything else].”