PWC threatens to sue security firm for disclosing embarrassing, dangerous defects in its software

ESNC, a German security research firm, discovered a critical flaw in PWC's enterprise software, which would allow attackers to hack into PWC customers' systems; when ESNC gave PWC notice of its intent to publish an advisory in 90 days, PWC promptly threatened to sue them if they did.


Indeed, the PWC legal threat went further, threatening action if ESNC gave any public statements that contained the true fact that PWC's products were not fit for purpose. PWC then doubled down by sending a second legal threat. ESNC responded by hastening its timeline, publishing its advisory in two weeks' time, rather than the three months it initially offered.

PWC says the defect has been fixed, and that it was hard to trigger. It says it threatened ESNC because ESNC wasn't an authorized user of PWC products, it wasn't entitled to warn PWC customers about defects in its products.

This is not true.

The reality is that PWC would have only had shaky legal ground to sue ESNC if it had made good on its threats. Much more worrisome is what happens when bullies like PWC get more sturdy grounds on which to suppress reports of their errors.

The World Wide Web Consortium has spent the past three years creating a standard called EME that will integrate Digital Rights Management into browsers. Laws around the world ban breaking DRM (in Germany, the relevant law is the implementation of Article 6 of the EUCD), and this has given companies standing to threaten (and even, in one case, to jail) security researchers who come forward with reports of defects.

Hundreds of security researchers have called on the W3C to make members promise not to use EME as a means of suppressing security disclosures, but so far, without luck.


In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.

The corporate giant argued that ESNC shouldn't have had access to the software in the first place, as it wasn't a licensed partner.

"ESNC did not receive authorized access or a license to use this software. The software is not publicly available and was only properly accessed by those with licenses, such as PwC clients working with trained PwC staff," said the spokesperson.

PwC sends 'cease and desist' letters to researchers who found critical flaw
[Zack Whittaker/Zdnet]

[ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security
[ESNC]