Companies: embrace researchers who are trying to improve the security of your products. Work with them, fix vulnerabilities, and coordinate disclosure. This will
go a lot farther toward building customer confidence and help avoid negative publicity. Providing researchers safe harbor for reporting a vulnerability
to you is critical to working towards a more secure product and ecosystem.
| When |
Entity making threat |
Researcher(s) |
Research Topic |
Resolution/Status |
| 2021-03-25 |
Apperta Foundation |
Rob Dyke |
Sensitive Public Info |
Dyke discovered that Apperta had sensitive information on their GitHub repo and informed them. Apperta reported Dyke to the Northumbria Police department despite them making the serious error and him
being a good citizen. They also revoked the license to the materials published under NHoS, which they
funded, after pledging full transparency to other matters in years prior. Summary
and more details in BleepingComputer.
Dyke has since indicated this ordeal has cost him £10,000. |
| 2021-03-02 |
Xerox |
Raphaël Rigo / Airbus Security Lab |
Attacking Xerox Multi Function Printers |
 Per an article at The Daily Swig,
researcher Raphaël Rigo was scheduled to give a presentation on Xerox printers at Infiltrate 2021. An hour before
the presentation, the conference informed attendees the talk would not happen due to "pending legal action". |
| 2020-09-10 |
Giggle |
Digital Interuption |
Giggle App |
After attempting to contact the CEO and several Giggle staff to disclosure the vulnerability directly to them, Digital Interuption was blocked each time, and threatened
by Giggle users/fans after the CEO insulted them publicly. After disclosing the vulnerability, Giggle threatened the researchers with an unspecified
legal threat. |
| 2019-11-29 |
Everspin |
Theori |
Android App Research |
 On November 7, 2019, Brian Pak, CEO and Co-founder at Theori gave a presentation at Power of Community (POC) to present work
on his team's research into various Android apps and their security. Everspin claimed the research was "seriously defamatory with false information"
and threatened prosecution. Pak has written an extensive rebuttal
to these claims and did not remove the material as requested. |
| 2016-11-17 |
Chase Bank |
Chad Scira |
Web Site Security |
Before Chase created a coordinated disclosure policy or bug bounty program, Scira found a vulnerability that allowed creating unlimited reward points. Scira documented and
shared with Chase via Twitter. They organized a call with an SVP and engineer where he showed them everything that "went well". After, Chase terminated his credit card
of five years as well as terminating a family member's card. Scira disclosed this on 2020-11-04. |
| 2016-12-07 |
PwC |
ESNC GmbH |
PwC ACE Software |
ESNC attempted to coordinate disclosure of vulnerabilities in PwC software. During the process,
PwC sent two Cease & Desist orders trying to silence research. ESNC ignored them and
disclosed the vulnerabilities
along with a timeline. [ZDNet]
[TechDirt] |
| 2016-06-18 |
Nerium International |
Steven Jensen |
Vulnerability in customer portal |
Steven Jensen found a simple enumeration vulnerability in the Nerium customer portal that allows any customer to
see any other customer's details, including credit card, address, and more. Nerium ignored his attempts to report it
and only contacted him after he posted enough details to show it was a real issue. That contact came in the form of a
cease and desist letter. Jensen removed the post, and replaced it with a
timeline of the incident. |
| 2015-12-23 |
Infoba |
Henrik Høyer |
Vulnerability in Infoba solutions |
Høyer found vulnerabilities in his son's kindergarten's computer systems, created by Infoba. He was accused
of accessing sensitive information of other students, a claim which he denies. Rather than fix the vulnerabilities,
charges were filed against him. [Full story] |
| 2015-10-06 |
Unspecified |
Gianni Gnesa |
Surveillance camera vulnerabilities |
Gnesa, scheduled to speak Oct 14, 2015 at Hack-in-the-Box GSEC, pulled his talk due to legal threats from one of the three vendors of the security cameras
he tested that were found to have vulnerabilities. This threat came after Gnesa had privately disclosed the vulnerabilities to the vendor
in advance. [Threatpost],
[The Reg] |
| 2015-09-25 |
Good Technology |
Max Moser, Tobias Ospelt, David Gullasch |
XSS in Good for Enterprise administration console |
"Vendor provides legal threat against publication of advisory." No further details provided. |
| 2015-08-13 |
FireEye |
Felix Wilhelm, ERNW |
Finding/reporting vulnerabilities in FireEye products |
On May 7, 2015, Wilhelm/ERNW had the first of several conference calls regarding vulnerabilities in FireEye products. On August 6, 2015,
FireEye sent a cease-and-desist letter to ERNW, and followed up via the District Court of Hamburg, who issued an injunction preventing
Wilhelm from disclosing some, but not all, of the details of his research. As of Sep 10, 2015, Wilhelm's presentation and slides still
contain redacted information. FireEye's own advisory
for the issues does not contain vulnerable versions, use CVE identifiers, include CVSS scoring,
and has the advisory timeline section not filled out. More details are available via an
article by Richard Morrell.
Wired Article.
ENRW Blog. |
| 2015-07-13 |
Impero Software |
slipstream (@TheWack0lian |
Disclosing vulnerabilities in their product |
slipstream posted information and a functional exploit for a vulnerability in Impero's Education Pro software. Impero
sent a letter via their lawyer Gateley Plc, saying it violated the user agreement, discloses confidential information, caused damage
to Impero, and hurt their reputation among other things. A day after posting the letter, the information is still public.
[The Register article on it.] |
| 2015-07-07 |
Magic Software Argentina |
Joaquín Sorianello |
Vulnerabilities in MSA Vot.ar Electronic Voting System |
In what appears to be a convoluted story, the protected Twitter account @FraudeVotar
published information regarding MSA Vot.ar systems and a vulnerability related to SSL certificates. Joaquín Sorianello saw
the information and reported it to MSA as a warning about the issue, but had nothing to do with the account or finding the
issue. Weeks later, a group of researchers that does not include Sorianello,
published a paper about a different
vulnerability in the Vot.ar system. After this paper was published, Argentinian metro police conducted a raid of Sorianello's residence per judge's order, despite him not
finding or publishing either vulnerability. The story of Sorianello was
published by Ars Technica
and
further
summarized and commented on by TechDirt. The original Tweets are still protected, and the subsequent research still available online. |
| 2015-05-04 |
CyberLock |
Mike Davis / IOActive |
Vulnerabilities in a product |
A lawyer for a firm representing CyberLock threatened a law suit based on the DMCA. Mike Davis posted the legal threat and says
"they're working on it.. lawyers being lawyers.. hopefully at some point we can talk about the technical issues, it was a fun random project..". A day after
the legal threat was made public, IOActive published the research on CyberLock CyberKey.
Articles covering this have been published by Ars
Technica, Wired, and
The Reg. |
| 2015-03-26 |
Blue Coat |
Raphael Rigo |
Security assessment information on Blue Coat ProxySG technology |
According
to Forbes, shortly before scheduled to speak at Syscan '15, the researcher cancelled his talk on Blue Coat security.
According to Lim, founder of Syscan, this was due to some form of pressure from Blue Coat who asked
him to pass it on to Rigo. Blue Coat has not responded to requests about the nature of the pressure
and if it involved a legal threat. A of 2015-03-27, Rigo's research is not public, and his employer says
they are working with Blue Coat to "jointly share the findings" in the future. Rigo ended up presenting
at Ruxcon and Black Hat Europe months later, with the content "almost unchanged". |
| 2014-07-09 |
FireEye |
Jean-Marie Bourbon |
Security flaws in FireEye's Malware Analysis System |
According to Forbes,
after sending details of the vulnerabilities to be posted on Exploit-DB, Bourbon was suspended from his day job, due to pressure
from FireEye who has denied involvement. Ultimately, FireEye patched the issues, released an advisory,
and credited Bourbon. |
| 2014-01-15 |
Covered California |
Kristian Erik Hermansen and Matt Ploessel |
Security flaws in Covered California website |
Video taken down from Youtube and the researchers were visited by the FBI and asked to stop discussing the issues. |
| 2014-01-08 |
Public Transport Victoria |
Joshua Rogers |
Security flaws in PTV website |
Company referred incident to Victoria Police |
| 2013-12-16 |
ZippyYum |
Daniel Wood |
Insecure Data Storage in iOS Subway ordering app |
Researcher says no NDA was signed and has retained an attorney to handle any potential legal action [Mailing
List Thread] |
| 2013-07-26 |
Volkswagen |
Flavio Garcia, University of Birmingham |
Security flaws in Volkswagen cars |
The High Court in the U.K. issued an injunction against Garcia, preventing him from disclosing vulnerabilities in Volkswagon luxury cars that allow an attacker to
start them [Article]. Paper and slides ultimately posted to USENIX site two years later after the injunction. [Ars Technica, Bloomberg] |
| 2013-07-09 |
VideoLAN Organization |
Secunia |
Security flaws in VLC Media Player |
After threatening Secunia with legal action, Secunia
updates their entry to reflect a vulnerability is 'patched' even though it likely is not, and then
changed back to 'unpatched' after even more analysis. Secunia
writes an extensive blog on the saga, as
has Jean-Baptiste Kempf from VideoLAN. |
| 2013-06-13 |
Zamfoo |
Patrick |
Security flaws in Zamfoo's products |
After two weeks of not patching a vulnerability, Patrick threatens to post a POC if it isn't fixed
faster. Zamfoo replies by threatening to sue him.
(Full Thread) |
| 2013-01-20 |
Dawson College / Skytech |
Ahmed Al-Khabaz |
Security flaws in Skytech's Omnivox portals, used by schools |
Found vulnerability that exposed 250k student records, brought it to attention of college.
Did not try to conceal his identity, did not misuse the information, did not try to profit.
Skytech threatened to press charges and send him to jail
if he did not sign an NDA. |
| 2012-10-25 |
(unknown international utility) |
Ralph Langner |
Nuclear power plant vulnerabilities (SCADA) |
Talk was cancelled last minute at the 12th ICS Cyber Security Conference
An unnamed vendor objected to the talk on the grounds that
"the review would disclose problems in its equipment" and threatened to sue, "even though plant officials had approved the presentations". This is one of two talks
cancelled at the conference according
to the conference organizer. |
| 2012-05-28 |
E-Soft (UK) |
Eric Romang |
Video of Metasploit Digital Music Pad SEH overflow exploitation module |
E-Soft sent a bogus copyright claim to YouTube to have the video removed. It has been reposted to
the same site once by another individual. The video remains available, and there have been no reported
attempts to silence news of the exploit in other manners. |
| 2012-01-31 |
Smart Grid/Meter Vendor (unspecified) |
Don Weber / InGuardians |
Smart Grid Meter Security Assessment Tool Release |
Researcher cancelled the talk last minute, citing the desire to work with the vendor. Note: a reliable source tells Attrition that InGuardian did not reach out to
the vendor until weeks after the ShmooCon CFP. Further, Weber says there was no vulnerabilities being disclosed, suggesting
that InGuardian may have cancelled the talk when the unspecified vendor agreed to become a client. |
| 2011-11-22 |
Carrier IQ |
Trevor Eckhart |
Carrier IQ software logs excessive information |
Carrier IQ threatens Eckhart and sends a
cease & desist letter. Shortly after negative
attention, Carrier IQ retracts the threat. Research
stays public. |
| 2011-10-13 |
First State Superannuation |
Patrick Webster |
Direct Object Reference vulnerability in FSS website |
Researcher received letter indicating FSS reported him to the police and threatened him with further legal action. After negative publicity,
First State Super withdraws legal threat. |
| 2011-08-01 |
Trans Link Systems |
Brenno de Winter |
OV Transit Payment System Vulnerabilities |
Researcher learned he may have been facing legal charges. Vendor statement says a criminal complaint was filed and researcher was questioned, but researcher was not the target of the complaint. Instead,
the Netherlands government took legal action against Brenno, a journalist, for covering the issue. More information. |
| 2011-04-27 |
Magix AG |
Acidgen |
Buffer overflow in Music Maker 16 software (version 16.0.2.4) |
Research published despite threat. Researchers convinced Magix to change stance on vuln handling. Magix opened a resource for security researches site,
but try to force researchers not to disclose w/o a patch or fix available, in their terms and conditions. |
| 2011-03-21 |
German telecommunications firm (unspecified) |
Thomas Roth |
Amazon EC2-based password cracking software |
Roth's
apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat. Injunction had since been revoked, Roth published the research. |
| 2010-08-22 |
Indian Police (Mumbai) |
Hari Prasad |
Vulnerabilities in Electronics Corporation of India (ECIL) Electronic Voting Machines |
A paper released in April of 2010 by eight researchers, four who live in India, outlined vulnerabilities in the EVMs used by the Indian government for elections,
despite repeated claims that they were "tamper-proof". On August 22, 2010, Police officers from Mumbai drove 14 hours to Hyderabad
and arrested Hari Prasad. He was not charged
initially, and told him that they were under "pressure [from] the top". He was told if he gave up the anonymous source that provided an EVM to the team for their research
he would be left alone. After seven days in jail, and being denied bail due to medical conditions once, Prasad
was finally released on bail.
The research paper and web site outlining Indian EVM problems remains public. |
| 2010-07-26 |
Financial Industry Client (unspecified) |
Varun Uppal and Gyan Chawdhary |
High-Speed Trading System Hacks |
Due to financial pressure (i.e. loss of a client), the talk was pulled and not presenter anywhere else. |
| 2010-07-15 |
Taiwanese Government |
Wayne Huang, Armorize Technologies Inc. |
The Chinese Cyber Army: An Archaeological Study from 2001 to 2010 |
Two weeks before the conference, the talk was cancelled due
to "pressure from the Taiwanese government." |
| 2009-07-18 |
RSA |
Scott Jarkoff |
Navy Federal Credit Union Web Site Flaws |
SliceHost / TechMiso challenges RSA, RSA backs down |
| 2009-07-17 |
Comerica Bank |
Lance James |
XSS / Phishing vulnerabilities on Comerica site |
C&D Sent to Tumblr, information removed but vulnerability still present (2009-07-17) |
| 2009-06-06 |
Orange.fr |
HackersBlog |
Multiple Vulnerabilities [1] [2] |
Apparent legal threats, details not published. |
| 2008-08-13 |
Sequoia Voting Systems |
Ed Felten |
Voting Machine Audit |
Research still not published (2008-10-02) |
| 2008-08-09 |
Massachusetts Bay Transit Authority |
Zach Anderson, RJ Ryan and Alessandro Chiesa |
Electronic Fare Payment (Charlie Card/Charlie Ticket) |
Gag order lifted, Researchers hired as consultants by MBTA |
| 2008-07-09 |
NXP (formerly Philips Semiconductors) |
Radboud University Nijmegen |
Mifare Classic Card Chip Security |
Research Published |
| 2007-12-06 |
Autonomy Corp., PLC |
Secunia |
KeyView Vulnerability Research |
Research Published. Apparently, Autonomy also
threatened CORE as well but it was not made public, yet the information was shared with others. |
| 2007-07-29 |
U.S. Customs |
Halvar Flake |
Security Training Material |
Researcher denied entry into U.S., training cancelled last minute |
| 2007-04-17 |
BeThere (Be Un limited) |
Sid Karunaratne |
Publishing ISP Router Backdoor Information |
Researcher still in talks with BeThere, passwords redacted, patch supplied, ISP service not restored (2007-07-06) |
| 2007-02-27 |
HID Global |
Chris Paget/IOActive |
RFID Security Problems |
Talk pulled, research not published |
| 2007-??-?? |
TippingPoint Technologies, Inc. |
/David Maynor / ErrataSec |
Reversing TippingPoint rule set to discover vulnerabilities |
Bulk of research later
published at BlackHat Briefings 07. |
| 2005-07-29 |
Cisco Systems, Inc. |
Mike Lynn / ISS |
Cisco router vulnerabilities |
Resigned from ISS before settlement, gave BH presentation, future disclosure injunction agreed on. Full details
on Wikipedia. |
| 2005-03-25 |
Sybase, Inc. |
Next-Generation Security Software |
Sybase Database vulnerabilities |
Threat dropped, research published |
| 2003-09-30 |
Blackboard Transaction System |
Billy Hoffman and Virgil Griffith |
Blackboard issued C&D to Interz0ne conference, filed complaint against students |
Confidential agreement reached between Hoffman, Griffith and Blackboard |
| 2003-02-05 |
Epic Games |
Luigi Auriemma / PivX Solutions |
Vulnerabilities in Unreal game engine |
Thor Larholm of PivX outlines the story in a post to the Bugtraq mail list. The
same day, Mark Rein of Epic Games replies to Thor apologizing for the legal threat, calling
them a "moment-of-stupidity reaction". Sam Varghese of smh.com.au summarizes
the story in an article. |
| 2002-07-30 |
Hewlett-Packard Development Company, L.P. (HP) |
SNOsoft |
Tru64 Unix OS vulnerability - DMCA based threat |
Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published,
HP asks Neohapsis for OpenSSL exploit code shortly after |
| 2001-07-16 |
Adobe Systems Incorporated |
Dmitry Sklyarov & ElcomSoft |
Adobe eBook AEBPR Bypass |
Elcomsoft found Not Guilty |
| 2001-??-?? |
Tegam International Viguard Antivirus |
Guillaume Tena (Guillermito) |
Vulnerabilities in Viguard Antivirus |
Suspended fine of 5,000 Euros |
| 2001-04-23 |
Secure Digital Music Initiative (SDMI), Recording Industry Association of America (RIAA) and Verance Corporation |
Ed Felten |
Four Watermark Protection Schemes Bypass - DMCA based threat |
Research published at USENIX 2001 |
| 2000-08-17 |
Motion Picture Association of America (MPAA) & DVD Copy Control Association (DVD CCA) |
2600: The Hacker Quarterly |
DVD Encryption Breaking Software (DeCSS) |
DeCSS ruled 'not a trade secret' |
The following incidents are related to the ones above, but "cross the line". They
include incidents where it was not "security research", but rather activity that was
considered a crime by current laws (at the time). Instead of following a more ethical
approach or going the route of responsible disclosure, the researcher chose to
research and disclose the details in a manner that was questionable. While the threat of
law suit of such activity is frivilous to most, the companies are being prudent
because the researcher in question likely did break laws in the process.
Over the years, many talks have been cancelled for various reasons. Sometimes, the rumor of legal threats
dominate the venue and/or news, but never happened. This table will list such events, to help clarify what
happened. As time allows, any case of a security talk being cancelled will be added.
| When |
Company making request or threat |
Researchers |
Research Topic |
Resolution/Status |
| 2012-10-19 |
Hewlett-Packard |
Kurt Grutzmacher |
Huawei / H3C router vulnerabilities |
Grutzmacher coordinated disclosure via US-CERT in August. Days before Toorcon 2012, HP
sent a polite request for him to cancel, saying patches were not ready. Grutzmacher cancelled
his talk. Two days later, HP released the patch, casting doubt over their intention behind
the request. |
| 2012-10-10 |
(none) |
Pirate Bay founders Peter Sunde and Fredrik Neij |
Talk titled "Data is Political" |
Neij's lawyer advised his client not to travel to a highly visible public
conference centered on hacking. Sunde was reportedly too ill to travel. |
| 2012-07-29 |
(unknown) |
Sergey Gordeychik / Denis Baranov, Positive Technologies |
SCADA vulnerabilities including Siemens |
The talk "SCADA Strangelove: How I Learned To Start Worrying And Love The Nuclear Plants" was cancelled a
week before the conference and replaced with a different SCADA talk by another person not affiliated
with Positive Technologies. No confirmation as to why, speculation is the talk was pulled due
to vendor pressure. |
| 2012-01-31 |
Smart Grid Meter Vendor (unnamed) |
Don Weber / InGuardians |
Smart Grid Vulnerabilities |
Was asked to pull talk from ShmooCon 2012, complied. Presented later at BSidesLV 2012. |
| 2011-08-16 |
(none) |
Riley Hassel / Shane Macaulay |
Google Android Vulnerabilities |
BlackHat Briefings Las Vegas 2011
Hassel/Macaulay scheduled to give "Hacking Android for Profit" talk at BlackHat Briefings Las Vegas 2011. Neither
presenter showed for their talk. Subsequent articles point out that Google said "The identified bugs are not present in Android", and
that the presenters backed out in "fear criminals would use it attack Android phones". In another work, Hassel said
"that some of their work may have replicated previously published research, and they wanted to make sure they properly acknowledged that work." |
| 2011-05-18 |
Siemens / Department of Homeland Security (DHS) |
Dillon Beresford / NSS Labs |
SCADA vulnerabilities |
TakeDownCon 2011 talk titled "Chain Reactions - Hacking SCADA" was cancelled by Beresford after concerns
from Siemens/DHS were expressed. Beresford said "DHS in no way tried to censor the presentation." |
| 2010-07-15 |
Taiwanese / Chinese agencies (unnamed) |
Wayne Huang, Armorize CTO |
Analysis of China's government-backed hacking initiatives |
Talk pulled from BlackHat Briefings 2010 in Las Vegas, announced by Caleb Sima, Armorize CEO on Twitter.
An earlier version of the talk was given to a small conference in Taiwain in 2007. |
| 2010-06-29 |
ATM Vendors (unnamed) |
Raoul Chiesa |
ATM Vulnerabilities |
Initial reports
said that Chiesa was threatened by ATM vendors and forced to cancel last minute. according
to Chiesa, no threats were made. The talk was cancelled for "logistical issues that day". Some in the industry have classified this as a publicity stunt, to garner more attention for the talk at a subsequent date. |
| 2009-06-30 |
ATM Vendors (unnamed, presumed Triton) |
Barnaby Jack / Juniper Networks |
ATM Vulnerabilities |
BlackHat Briefings Las Vegas 2009 talk cancelled by Juniper after ATM vendor expressed concerns about disclosure before customers
were fully protected. Information published at BlackHat 2010. |
| 2008-07-02 |
Apple |
Unamed 'Apple Insiders' |
Apple Security Response Team |
According to Trey Ford, BlackHat general manager, a panel of Apple insiders were
to have a panel to discuss "the company's security-response team". When Apple's marketing
department heard, the panel was abruptly cancelled. |
Copyright 2008-2015 by Attrition.org. Permission is granted to quote, reprint or redistribute provided the text is not altered, and appropriate credit is given.
![[Image: Lady Liberty, Gun to Head]](legal_threats.jpg)
It has been clear for years that businesses have dropped ethics in favor of profit. Protecting the bottom line is usually more important than doing the right
thing, even if it means providing a better product to their customers. Companies fear negative publicity, especially if said publicity challenges the security of their
products. It doesn't matter that just about every company and product ships with numerous vulnerabilities, and adding security is a band-aid solution
rather than an integral part of the development life cycle. Rather than work with researchers who are frequently providing what would otherwise be high-dollar
specialized consulting for free, some companies opt to go take the muddy road and pursue legal action against the researchers. This action is one of desperation
and attempts to silence and stifle legitimate research and free speech. Invariably, this ends up being a huge negative PR move, much worse than what
would occur with the publication of said research without the legal murk.
