PWC threatens to sue security firm for disclosing embarrassing, dangerous defects in its software

ESNC, a German security research firm, discovered a critical flaw in PWC's enterprise software, which would allow attackers to hack into PWC customers' systems; when ESNC gave PWC notice of its intent to publish an advisory in 90 days, PWC promptly threatened to sue them if they did.

Indeed, the PWC legal threat went further, threatening action if ESNC gave any public statements that contained the true fact that PWC's products were not fit for purpose. PWC then doubled down by sending a second legal threat. ESNC responded by hastening its timeline, publishing its advisory in two weeks' time, rather than the three months it initially offered.

PWC says the defect has been fixed, and that it was hard to trigger. It says it threatened ESNC because ESNC wasn't an authorized user of PWC products, it wasn't entitled to warn PWC customers about defects in its products.

This is not true.

The reality is that PWC would have only had shaky legal ground to sue ESNC if it had made good on its threats. Much more worrisome is what happens when bullies like PWC get more sturdy grounds on which to suppress reports of their errors.

The World Wide Web Consortium has spent the past three years creating a standard called EME that will integrate Digital Rights Management into browsers. Laws around the world ban breaking DRM (in Germany, the relevant law is the implementation of Article 6 of the EUCD), and this has given companies standing to threaten (and even, in one case, to jail) security researchers who come forward with reports of defects.

Hundreds of security researchers have called on the W3C to make members promise not to use EME as a means of suppressing security disclosures, but so far, without luck.

In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.

The corporate giant argued that ESNC shouldn't have had access to the software in the first place, as it wasn't a licensed partner.

"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff," said the spokesperson.

PwC sends 'cease and desist' letters to researchers who found critical flaw [Zack Whittaker/Zdnet]

[ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security [ESNC]

Notable Replies

  1. I'm so happy that black hats will only attack using the software they were properly licensed to use.

  2. Thank God/Dog/Cthulhu/FSM that we don't have to fix the issues! We can just sue to shut people up!

  3. I think that what PWC are trying to get at (not said in the article) is that if researchers were a licensed "partner", they would have been prohibited from doing any security research and/or publishing anything by their license. Such "gag orders" are commonplace in enterprise software. And since they aren't licensed, they obviously had to steal it and thus have no right to dig in it or publish anything neither.

    It is pretty typical reaction of a big company - whenever something potentially damaging to the brand surfaces, the first thing to do is to send lawyers and then perform "PR management". Fixing the actual problem would actually cost money and show that the overpriced product is buggy, so it is not done or only as the last option.

    Disgusting :frowning:

  4. Don't forget if you are affected by the bug in the software, the company can then claim it's not their fault and get out of it.

    Late stage fucking capitalism indeed.

  5. KXKVI says:

    And of course forced arbitration will prevent any kind of justice.

Continue the discussion

3 more replies