Security Research Threats
Research Threats: Legal Threats Against Security Researchers
An ongoing collection of legal threats made against Security Researchers: over-reactions, demands, and cease & desist letters against good faith research. This project is in homage to @attritionorg great work in documenting historical researcher threats.
Visit this project on the web: https://threats.disclose.io
Visit this project on GitHub: https://github.com/disclose/research-threats
Includes many historical legal events copied with permission from @attritionorg, originally at https://attrition.org/errata/legal_threats/, which is still maintained. Crowd-sourcing this data through this repository is strongly recommended by all parties.
It doesn’t matter that just about every company and product ships with vulnerabilities; security should be built into a product, rather than applied as a band-aid solution. Secure products are better, and a responsive security team should be an integral part of the development life cycle of that product. Vulnerabilities will happen; the response to those reports are what is important. Burning bridges and dismissing the good will of researchers offering to help secure your products does not benefit anyone.
Is an incident missing from this list or want us to investigate?
Create an issue :)
If you want to submit something more privately, you can email any of hello [at] disclose.io, jericho [at] attrition.org threats [at] sick.codes using the following key: https://raw.githubusercontent.com/disclose/research-threats/master/researchthreats.asc. This is a shared key between the three people mentioned above.
Issues with links and information are welcome, pull requests are even better!
Please sanitize Personally Identifiable Information (PII) from PDF, PNG, JPG files before uploading to the goodies folder!
In the interest of Security Researcher safety, and prevent you from doxxing yourself, you may want to remove all EXIF data from uploads.
From time to time, you may wish to upload documents, screenshots, or even photographs to the goodies folder.
See ExifTool installation instructions here in the goodies folder.
exiftool -all='' document.pdf
exiftool -all= image.png
exiftool -all= image.jpg
exiftool -all= *.png
For Companies
Find examples below of what not to do.
Embrace security researchers. Learn from the documented examples in this archive. Researcher’s who have been threatened by naive entities while legitimately working to improve the security of a product should be a source of collaboration; they may know more about your systems than you do. Put researchers who voluntarily submit bugs & vulnerabilities in touch with your internal security teams, work together to fix vulnerabilities, and coordinate the disclosure to your customers and the public.
-
An excellent coordinated disclosure generally boosts a company’s public image & customer confidence. It encourages researchers to work with you, not against you.
-
A negative experience can exponentially generate negative publicity, sometimes even viral.
-
Providing researchers safe harbor for reporting a vulnerability to you is critical to working towards a more secure product and ecosystem.
Entities that engage researchers and respond quickly to security events are more likely to generate a positive experience.
Entities with no security response team, may be more likely to experience a negative disclosure event.
For Researchers
Find examples below of what can happen when things go wrong.
Shield yourself from threats by always acting in good faith, following a company’s vulnerability disclosure terms and visit the EFF’s Coders’ Rights Project. Work with companies and respect their timelines for implementing fixes. What may seem like an “easy fix” to you may be more complicated for a vendor maintaining multiple code trees across hundreds of platforms supporting thousands of customers.
Companies fear negative publicity; but companies also ship bugs & vulnerabilities out into the wild. Any publicity that may challenge the security aspect of a product may lead to legal threats or calls to law enforcement.
Engaging a company with an extensive, well managed security vulnerability program, will almost never lead to legal action. In fact, you may even be protected from violating a license agreement, while conducting good faith research, under safe habor.
Engaging a company that favors profit over ethics, or considers protecting the bottom line as more important than doing the right thing, may lead to challenges. Some companies welcome vulnerability reports. Some companies don’t, but that does not make them immune from exploitation.
Researcher’s Rights: Threatened Security Researchers Walk of Fame & Hall of Shame
Below, you will find an ongoing & maintained collaborative effort to document some of the most bizarre reactions to otherwise trivial security events.
Historical archives were taken with explicit permission to continue wonderful work started by the folks at @attritionorg, and are hosted in their originality at https://attrition.org/errata/legal_threats/.
Researcher Threat Template Row:
| 20XX-XX-XX | [The Entity](https://entity) | [Researcher](https://github.com/Researcher) | Topic Here | Insert the description of the event here |
Confirmed Threats Made Against Researchers
| When | Entity | Researcher(s) | Topic | Status |
|---|---|---|---|---|
| 2023-04-12 | FreeHour | Giorgio Grigolo, Michael Debono, Luke Bjorn Scerri and Luke Collins | Students arrested, stripped naked, violated by Police. | On October 18, four computer-science students emailed FreeHour about software vulnerabilities in their student timetabling app, with a hefty 90 day disclosure window. Alongside their responsible disclosure to FreeHour, the students asked if their good-faith advisory would be eligible for a possible bounty, once the bug had been patched. One or more imbeciles at FreeHour lied to the Police about the nature of the student activity. Scerri, Grigolo and Debono received serach warrants, all their homes were raided by the Police, and instead of receiving a bug bounty reward, they were heinously strip searched, had their computers violated as a result of the inadequeate response by FreeHour. Originally, the authorities told them that their items would be returned within several weeks but they are currently still having their right violated. Collins was in England studying for his PhD, yet was questioned when he returned to the country for Christmas. FreeHour founder and CEO Zach Ciappara said that, once he received the e-mail from the four students in October, he contacted the office of the Information and Data Protection Commissioner (IDPC) and the Cyber Crime Unit for advice. After the situation began to escalate for FreeHour, the CEO subsequently published a statement on Instagram. According to another statement, “Due to the mention of payment, changes to the app’s front end & a 90 day ultimatum, FreeHour was legally advised to report this to the Police as a potential threat. The company is starting to do cyber now, and is apparently committed to doing so on an ongoing basis. “We are also willing to work with the four students to assist in improved security, and to implement new measures. Moreover, we are undergoing internal training in INFOSEC, GDPR and data integrity,” CEO Zach Ciappara added. It is unclear whether the students would be willing to work with the company again, given they were stip searched, raided, violated, and arrested. |
| 2022-02-12 | Cole County Prosecuting Attorney @ The State of Missouri | Josh Renaud - View Statement | Prosecutor Drops Charges After Four “Anxious” Months | On February 11th, the public received a statement from Josh Renaud, who was previously unnamed in the incident below, dated 2021-10-15 involving The State of Missouri & St. Louis Post-Dispatch. In Renaud’s statement, Renaud was accused on television as a malicious “hacker”. In his statement, Renaud details the significant harm caused by this investigation, which is, “entirely legal and consistent with established journalistic principles.” It is also the only way to report bugs: to the vendor, of course. Renaud’s statement details that this, “has been one of the most difficult seasons of [his] nearly 20-year career in journalism. But [he had] found strength in the prayers and support of my family and friends and so many others across the country.” This entry has been entered as a separate update as Renaud was previously unnamed. The statement speaks for itself and should be a wake up call to those who persecute others for political gain, as stated by the state Senate, “more care was given to political gain than the harm caused to a man and his family.” Renaud’s experience, “hasn’t been easy.” Renaud was, “politically persecuted,” and was even used & abused in “attack ads” aired by his political action committee. The full statement is well & truly worth reading. Possibly one of the most important statements a researcher has made in recent times. |
| 2021-10-21 | Apple, @apple | Denis Tokarev, @illusionofchaos | DMCA Takedowns of Mirror | iOS App Developer & Security Researcher Denis Tokarev (illusionofchaos) has developed an interesting relationship with Apple since early 2021. The researcher participated in Apple’s Bug Bounty program in hope’s of receiving a payout for his research having submitted the details between March 10 and May 4 of 2021. Four months later, Tokarev published his (Disclosure of four 0-day iOS vulnerabilities and his opinion of the Apple Security Bounty Program. To this day, Tokarev is still not listed on the Apple Security Advisory for iOS 14.7 and iPadOS 14.7 security advisory.. In his words, “When I confronted them, they apologized, assured me it happened due to a processing issue and promised to list it on the security content page of the next update. There were three releases since then and they broke their promise each time.” Frustrated with the lackluster communication between Apple’s illusive security team, Tokarev eventually published his Proofs of Concept on GitHub: “iOS gamed exploit (fixed in 15.0.2)”, a redacted “Analyticsd pre-14.7 exploit”, “nehelper enumerate installed apps 0-day (iOS 15.0)”, and “Nehelper Wifi Info 0-day (iOS 15.0)”. A Jailbreak community member, @rllbe, released a patch exclusively for Jailbroken devices named entitlementfix. This is great for Jailbroken phones but does not help the millions of regular iPhones which are still vulnerable to attacks, namely information disclosure. Valued at $100,000 or more on the Example/Dummy Bounty payout page, or perhaps an exponentially higher value on the grey market, Tokarev has yet to receive a bounty, nor recognition, other than an email from Apple stating that they made an error in crediting his research. Apple silently patched one of the exploits in July with the release of iOS 14.7. To add to the already difficult relationship, Tokarev discovered and mirrored a helpful website with API documentation named “Atlas” for research purposes. “Atlas is developed and maintained by the Hardware Test Engineering (HWTE) Software Platform group.” The repository is currently serving the DMCA takedown notice Apple sent him. What makes this takedown unique is that the fact that the original server is still live; Tokarev mirrored a documentation resource, which is very common procedure on GitHub. Along with the GitHub DMCA notice, Tokarev had multiple tweets also taken down. The DMCA content removal takedown notices on GitHub are publicly etched into GitHub’s DMCA repository; the Lumen database copy can be viewed here. The researcher was also locked out of his Twitter account at one point. As per DMCA submission rules on Twitter, the firm representing Apple, swears, “under penalty of perjury,” that the the documentation is Apple’s copyright. What makes this case seem targeted is that only Tokarev’s content has been DMCA’ed by Apple- absolutely no other reply, public tweet, or image containing the IP address has apparently been removed from Twitter. An archive of the alleged offending content page, while still live, is archived.. On October 25, 2021, @apple eventually added the contribution, in Analytics affecting iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). It was issued CVE-2021-30871 and the impact statement was, “A local attacker may be able to access analytics data.” NIST analysts scored the bug 5.5 CVSS MEDIUM. |
| 2021-10-15 | The State of Missouri | St. Louis Post-Dispatch | State law vs. Good-faith research, alleged hacktivism. | On October 12th, the Missouri Department of Elementary & Secondary Education was made aware of a vulnerability in a portal that was leaking personal information of Missouri educators. Missouri Gov. Mike Parson, in a press conference stated that at least 3 educators’ data was specifically accessed. It is not known whether these 3 educators’ data were used to validate the vulnerability, or whether they were specifically targeted by the researcher. It was stated that it would not be possible to download all of the personal data at once. Under 2017 Statute 569.095 of Missouri Law: “A person commits the offense of tampering with computer data if he or she knowingly and without authorization or without reasonable grounds to believe that he has such authorization: Accesses a computer, a computer system, or a computer network, and intentionally examines information about another person; a class A misdemeanor.” The Gov. stated that this may cost at least $50 million dollars to patch, diverting Missouri State resources for Legal costs, the Cole County Prosecutor, and Missouri State Highway Patrol Digital Forensics Unit to investigate the alleged wrongdoing. Therein lies the issue, that had this vulnerability not been reported to the vendor, it would remain to be vulnerable and the state would likely be unaware of it being exploited for malicious purposes. To complicate matters for both the researcher and the vendor (ITSD who programs & maintains the portal), it was alluded to during the press conference that the researcher was going to use the information for political gain, under the guise of research. In Missouri, it is unlawful to access “encoded” data (the passwords were allegedly base64 encoded), which may include viewing HTML source code or to compromise systems to embarrass the state and allegedly, “sell headlines,” for their new outlet. Two issues that should be highlighted in this event is that is can be argued that is a Class A misdemeanor in Missouri to essentially push the F12 key while browsing a website, but the researcher has also been alleged to either be employed by or have provided the data to a local news outlet, as a “political vendetta,” which could fall under bad-faith research, or hacktivism, if the data was published. Regardless, the embarrassment of a leaky portal lies with the developer of the website, and the St. Louis Post-Dispath, stated “The newspaper delayed publishing this report to give the department time to take steps to protect teachers’ private information, and to allow the state to ensure no other agencies’ web applications contained similar vulnerabilities.” |
| 2021-08-04 | CDU (German political party) | CERT, Politics, hacktivism, back-tracking | Lilith Wittmann | In 2021, during the election campaign for the German Bundestag, a security researcher named Lilith Wittmann discovered and published data security issues in the election campaign app used by the German parties CDU, CSU and Volkspartei. The CDU pressed charges against Wittmann but withdrew later after a public outcry and apologized. |
| 2021-07-13 | Apple, @apple | Corellium, @corellium, | Relentless dissmissed copyright infringement lawsuits of good faith research platform | Apple’s Bug Bounty rules permits Security Researchers to, “copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Apple software,” provided they share the results with Apple. However, in 2019, Apple filed a lawsuit against Corellium, stating that it participates, “with no license or permission from Apple.” Moreover, “Apple approved of Corellium participating in its invitation-only Security Bounty Program (“bug bounty program”) with a promise to pay for software bugs identified by Corellium in court documents dated 10-28-2019.” Apple gladly accepted and utilized bugs submitted by Corellium as part of this program [yet] broke its promise to pay for them.” Apple’s bug bounty began in 2016, but was only opened to the public in 2019. This means anyone can participate. Corellium was a participant of the invitation-only program. Corellium claims it is owed $300,000 in unpaid bounties. Apple is known to change the prices, with Apple originally offering up to $1,500,000 as the maximum payout, but that has since come down to $1,000,000. Moreover, an “iCloud” bounty is listed with a maximum payout of $100,000 on the main page, however, a “limited” iCloud bypass is only a mere $25,000. Apple has previously, “made eBay remove a listing that offered a prototype iPhone for sale for $10,000”. Bizarrely, Apple only offers the “Security Research Device” (SRD) for the iPhone, abandoning the iPadOS, macOS, tvOS, and watchOS which do not have Research Devices. The number of vulnerabilities discovered on SRDs is extremely low, with many vulnerabilities coming from ZDI as well as anonymous researchers. Apple sued Corellium in 2019, for copyright infringement. The copyright claim is a disgrace to researchers, far and wide, and even stated 08-15-2019, “Apple strongly supports good-faith security research on its platforms, and has never pursued legal action against a security researcher,” yet is pursuing the only platform that empowers researchers to participate in Apple’s program. Apple lost that lawsuit, demonstrating a clear & apparent disconnect between the company and good faith Security Researchers. The UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF FLORIDA dismissed every single one of Apple’s claims. The COURT ruled on 05-11-2020 “Corellium does not infringe any of Apple’s copyrights.” Apple ignored the ruling, filing another lawsuit, casting a shadow of legal uncertainty over the entire Security Research community. Apple admits to trying to buy Corellium, in which Corellium was approached by Federighi, Andrews, & Krstic, who are Apple’s Senior Vice President of Software Engineering, the Vice President of OS Software Engineering, and the Head of Apple’s Security Engineering and Architecture, respectively. The case was “DONE AND ORDERED in Fort Lauderdale, Florida, [on] 29th day of December 2020, noting Corellium may make fair use of iOS, but it is not absolved of potential liability for allegedly employing circumvention tools to unlawfully access iOS or elements of iOS.” However, Apple’s Bug Bounty program specifically permits the above, if you report the bugs to Apple. This series of lawsuits destroys credibility in the Security Research community, and Apple’s lower-than-expected payouts deters researchers from reporting the bugs to Apple, with many researchers opting to sell their exploits elsewhere. One such example, is the clear fact is the sheer volume of submissions that come through the Zero Day Institute. More court documents relating to Apple attempting to reintroduce new witnesses, in a case that should already be over. On May 10, 2023, EFF released their own statement on the case. |
| 2021-04-29 | what3words, @What3Words | Aaron Toponce | “Proprietary” Worldlists | @What3Words, a company that sells its wordlist permutations to emergency services, threatened Toponce for exposing their method of generating permutations. In September 2019 IP lawyer JaKemp.com, acting on bahalf of @What3Words, issued whatfreewords.com with a direct threat of legal action. Later, the actual wordlist permutation formula was posted online by @cybergibbons. On April 29 2021, Toponce received a letter demanding that he stop using the What Free Words software, an Open Source derivative of what3words. What3Words chief executive Chris Sheldrick referred to his own software as, “a set of non-trivial, proprietary binary data resources.” Summary and more details in TechCrunch article by Zack Whittaker. |
| 2021-03-25 | Apperta Foundation Supported by NHS England, NHS Digital | Rob Dyke | Sensitive Public Info | Dyke discovered that Apperta had sensitive information on their GitHub repo and informed them. Apperta reported Dyke to the Northumbria Police department despite them making the serious error and him being a good citizen. They also revoked the license to the materials published under NHoS, which they funded, after pledging full transparency to other matters in years prior. Summary and more details in BleepingComputer. |
| 2021-03-02 | Xerox | Raphaël Rigo / Airbus Security Lab | Attacking Xerox Multi Function Printers | Per an article at The Daily Swig, researcher Raphaël Rigo was scheduled to give a presentation on Xerox printers at Infiltrate 2021. An hour before the presentation, the conference informed attendees the talk would not happen due to “pending legal action”. On April 22, 2021, Raphaël was finally able to give the talk. Click here to view slides. Click here to watch the live recorded presentation on Vimeo. |
| 2020-09-10 | Giggle | Digital Interuption | Giggle App | After attempting to contact the CEO and several Giggle staff to disclose the vulnerability directly to them, Digital Interuption was blocked each time, and threatened by Giggle users/fans after the CEO insulted them publicly. After disclosing the vulnerability, Giggle threatened the researchers with an unspecified legal threat. |
| 2020-03-06 | Talkspace @Talkspace | John J Hacking | Talkspace | John found out that he could use company “coupon codes” to sign up and use Talkspace for free, as noted by Zach Whittaker who published a story about @Talkspace’s denial of such claims. In the article, John describes that he was able to sign up to @Talkspace using promo codes that belonged to other companies, who have paid for the service. @Talkspace refuted the claims, which were clearly documented by @johnjhacking. The Cease and Desist Letter can be found here. |
| 2020-01-30 | Iowa Supreme Court, Dallas County Sheriff Department | Coalfire Red Teamers Arrested at work | Red team falsely arrested. | The state of Iowa hired Coalfire to conduct a penetration test, or Red Teaming exercise on their physical premises. The “Scope” can be viewed here. In September 2019, during the engagement, two of the Coalfire employees were actually arrested while working. Justin Wynn and Gary Demercurio were arrested “while working”. A Sheriff arrived, and despite being well aware of the situation, arrested the two employees on burglary charges. Coalfire had already been conducting the same pen tests with the Iowa Supreme Court since 2015. It took four months until January 30 2020 for the charges to be dropped… by the same state that they were trying to protect. Click here to view an interview with the two Pen Testers & Brian Krebs. This event highlights the seriousness of staying in scope, or removing scope altogether; a threat actor does not follow the scope. |
| 2019-11-05 | Boeing @Boeing | Chris Kubecka | Companies without disclosure policies | Chris discovered fundamental flaws in Boeing’s network security and Boeing attempted to “cover up” the incident, according to CSOOnline. Chris spoke at a public event about her research. Boeing was apparently infected with actual malware, ran testing environments exposed to the public internet, and discovered XSS vulnerabilities. Boeing is alleged to have threatened her with legal action, to prevent her from publicly speaking about the research, and Boeing is said to have considered publicly tarnishing Chris’ reputation. Chris is a well-known Security Researcher, and an Air Force veteran. |
| 2017-12-20 | Keeper | Dan Goodin | Keeper sues reporter over vulnerability story | On December 14 2017, Tavis Ormandy reported on Google’s Project Zero about a concern that Windows came pre-installed with a copy of Keeper password manager. Moreover, he published screenshots of a PoC, and showed that the pre-installed software, came with a vulnerability that could be used to potentially perform “drive-by” password theft. Subsequently, Dan Goodin covered this story in Ars Technica. Keeper obviously did not like the original version of Goodin’s story and demanded a trial by jury, alleging that the article contained, “false statements,” and was missing facts. Keeper argued on the court filing that Goodin failed to speak to Keeper, before writing about a bug tracker post about vulnerabilities in the Keeper password manager, that came pre-installed with Windows. Keeper even tried to argue that although it was pre-installed on the computer, the customer had to “use the software”, to be vulnerable. As of 2017, software is designed to be used. [Case number 1:17-cv-09117] |
| 2017-08-03 | MIT @MIT | Bill Demirkapi @D4stiny | Web Site Security | Bill Demirkapi discovered an exposed Wordpress debug log 4GB in size on a publicly accessible MIT service. An unnamed individual at MIT threatened Bill with 5 years jail, and determined that he had caused, “significant disruption and inconvenience for @MIT Libraries staff and patrons.” MIT head of IT responded and said that scanning was “problematic.” Moreover, the original threatener begins to make condescending remarks to Bill, “your understanding of the law is very limited.” Bill was 16 at the time, and later went on to work for @Zoom in Offensive Security. The email exchange can be viewed at: MIT threatened to sue after I reported a security vulnerability #27 pdf file |
| 2016-11-17 | Chase Bank | Chad Scira | Web Site Security | Before Chase created a coordinated disclosure policy or bug bounty program, Scira found a vulnerability that allowed creating unlimited reward points. Scira documented and shared with Chase via Twitter. They organized a call with an SVP and engineer where he showed them everything that “went well”. After, Chase terminated his credit card of five years as well as terminating a family member’s card. Scira disclosed this on 2020-11-04. |
| 2016-12-07 | PwC | ESNC GmbH | PwC ACE Software | ESNC attempted to coordinate disclosure of vulnerabilities in PwC software. During the process, PwC sent two Cease & Desist orders trying to silence research. ESNC ignored them and disclosed the vulnerabilities along with a timeline. [ZDNet] [TechDirt] |
| 2016-06-18 | Nerium International | Steven Jensen | Vulnerability in customer portal | Steven Jensen found a simple enumeration vulnerability in the Nerium customer portal that allows any customer to see any other customer’s details, including credit card, address, and more. Nerium ignored his attempts to report it and only contacted him after he posted enough details to show it was a real issue. That contact came in the form of a cease and desist letter. Jensen removed the post, and replaced it with a timeline of the incident. |
| 2015-12-23 | Infoba | Henrik Høyer | Vulnerability in Infoba solutions | Høyer found vulnerabilities in his son’s kindergarten’s computer systems, created by Infoba. He was accused of accessing sensitive information of other students, a claim which he denies. Rather than fix the vulnerabilities, charges were filed against him. [Full story] |
| 2015-10-06 | Unspecified | Gianni Gnesa | Surveillance camera vulnerabilities | Gnesa, scheduled to speak Oct 14, 2015 at Hack-in-the-Box GSEC, pulled his talk due to legal threats from one of the three vendors of the security cameras he tested that were found to have vulnerabilities. This threat came after Gnesa had privately disclosed the vulnerabilities to the vendor in advance. [Threatpost], [The Reg] |
| 2015-09-25 | Good Technology | Max Moser, Tobias Ospelt, David Gullasch (modzero) | XSS in Good for Enterprise administration console | “Vendor provides legal threat against publication of advisory.” No further details provided. Then, in 2015, modzero added a follow up to this incident, “remotely exploitable vulnerability in Good’s Mobile Device Management (MDM) Suite “Good For Enterprise” that allowed remote attackers to hijack administrative accounts”. Interesting, this was filed under the researcher’s website categories as, “mobile, security, modzero, rant, advisory.” Good Technology, threatened modzero in the following statement, “I could get our legal team to provide the exact language, but it pretty much disallows doing certain things with the software (i.e. no reverse engineering or other activities designed to discover our “secret sauce”) - E-mail from GOOD, July 11th 2013”. Once again, this shows companies historically claiming that their EULA is the law and insinuating that it is illegal to find & publish bugs in their software. |
| 2015-08-13 | FireEye | Felix Wilhelm, ERNW | Finding/reporting vulnerabilities in FireEye products | On May 7, 2015, Wilhelm/ERNW had the first of several conference calls regarding vulnerabilities in FireEye products. On August 6, 2015, FireEye sent a cease-and-desist letter to ERNW, and followed up via the District Court of Hamburg, who issued an injunction preventing Wilhelm from disclosing some, but not all, of the details of his research. As of Sep 10, 2015, Wilhelm’s presentation and slides still contain redacted information. FireEye’s own advisory for the issues does not contain vulnerable versions, use CVE identifiers, include CVSS scoring, and has the advisory timeline section not filled out. More details are available via an article by Richard Morrell. Wired Article. ENRW Blog. |
| 2015-07-13 | Impero Software | slipstream (@TheWack0lian | Disclosing vulnerabilities in their product | slipstream posted information and a functional exploit for a vulnerability in Impero’s Education Pro software. Impero sent a letter via their lawyer Gateley Plc, saying it violated the user agreement, discloses confidential information, caused damage to Impero, and hurt their reputation among other things. A day after posting the letter, the information is still public. [The Register article on it.] |
| 2015-07-07 | Magic Software Argentina | Joaquín Sorianello | Vulnerabilities in MSA Vot.ar Electronic Voting System | In what appears to be a convoluted story, the protected Twitter account @FraudeVotar published information regarding MSA Vot.ar systems and a vulnerability related to SSL certificates. Joaquín Sorianello saw the information and reported it to MSA as a warning about the issue, but had nothing to do with the account or finding the issue. Weeks later, a group of researchers that does not include Sorianello, published a paper about a different vulnerability in the Vot.ar system. After this paper was published, Argentinian metro police conducted a raid of Sorianello’s residence per judge’s order, despite him not finding or publishing either vulnerability. The story of Sorianello was published by Ars Technica and further summarized and commented on by TechDirt. The original Tweets are still protected, and the subsequent research still available online. |
| 2015-05-04 | CyberLock | Mike Davis / IOActive | Vulnerabilities in a product | A lawyer for a firm representing CyberLock threatened a law suit based on the DMCA. Mike Davis posted the legal threat and says “they’re working on it.. lawyers being lawyers.. hopefully at some point we can talk about the technical issues, it was a fun random project..”. A day after the legal threat was made public, IOActive published the research on CyberLock CyberKey. Articles covering this have been published by Ars Technica, Wired, and The Reg. |
| 2015-03-26 | Blue Coat | Raphael Rigo | Security assessment information on Blue Coat ProxySG technology | According to Forbes, shortly before scheduled to speak at Syscan ‘15, the researcher, @trou, cancelled his talk on Blue Coat security. According to Lim, founder of Syscan, this was due to some form of pressure from Blue Coat who asked him to pass it on to Rigo. Blue Coat has not responded to requests about the nature of the pressure and if it involved a legal threat. As of 2015-03-27, Rigo’s research is not public, and his employer says they are working with Blue Coat to “jointly share the findings” in the future. However, as of 2021-04-14, the researcher confirmed that he was able to present the talk months later at Ruxcon and Black Hat Europe. See https://github.com/disclose/research-threats/issues/8 and the slides & video are available at https://syscall.eu/ |
| 2014-07-09 | FireEye | Jean-Marie Bourbon | Security flaws in FireEye’s Malware Analysis System | According to Forbes, after sending details of the vulnerabilities to be posted on Exploit-DB, Bourbon was suspended from his day job, due to pressure from FireEye who has denied involvement. Ultimately, FireEye patched the issues, released an advisory, and credited Bourbon. |
| 2014-01-15 | Covered California | Kristian Erik Hermansen and Matt Ploessel | Security flaws in Covered California website | Video taken down from Youtube and the researchers were visited by the FBI and asked to stop discussing the issues. |
| 2014-01-08 | Public Transport Victoria | Joshua Rogers | Security flaws in PTV website | Company referred incident to Victoria Police |
| 2013-12-16 | ZippyYum | Daniel Wood | Insecure Data Storage in iOS Subway ordering app | Researcher says no NDA was signed and has retained an attorney to handle any potential legal action [Mailing List Thread] |
| 2013-11-10 | Christchurch Public Transport Card (ECan) | William “AmmonRa” Turner | Insecure Public Transport Card System | At Kiwicon 7 (2013-11-09), researcher “AmmonRa” disclosed a series of vulnerabilities regarding Christchurch’s “Metro Card” bus fare system. He previously reported the security flaw to Environment Canterbury, the group that oversees the bus network, three months prior, but nothing had been done. Without merit, after disclosing the vulnerability publicly, Environment Canterbury director operations Wayne Holton-Jeffreys had called the police (but was unsure if any charges would be laid). In essense, the Director of operations, Wayne Holton-Jeffreys, failed to protect their own systems and passed the buck to a hacker for exposing a loophole where 70,000 free rides were allegedly ridden following the talk at Kiwicon. ECan “called the police” over the flaws that they themselves created, and ignored. |
| 2013-07-26 | Volkswagen | Flavio Garcia, University of Birmingham | Security flaws in Volkswagen cars | The High Court in the U.K. issued an injunction against Garcia, preventing him from disclosing vulnerabilities in Volkswagon luxury cars that allow an attacker to start them [Article]. Paper and slides ultimately posted to USENIX site two years later after the injunction. [Ars Technica, Bloomberg] |
| 2013-07-09 | VideoLAN Organization | Secunia | Security flaws in VLC Media Player | Secunia discovered a UAF bug in VLC Media Player. After threatening Secunia with legal action, Secunia updates their entry to reflect a vulnerability is ‘patched’ even though it likely is not, and then changed back to ‘unpatched’ after even more analysis. VLC threatened that the tweet had been screenshot by a lawyer, and demanded quick turn-around in closing the report. Secunia writes an extensive blog on the saga, as has Jean-Baptiste Kempf from VideoLAN. Bug report can be read here: https://trac.videolan.org/vlc/ticket/7860 |
| 2013-06-13 | Zamfoo | Patrick | Security flaws in Zamfoo’s products | After two weeks of not patching a vulnerability, Patrick threatens to post a POC if it isn’t fixed faster. Zamfoo replies by threatening to sue him. (Full Thread) |
| 2013-01-20 | Dawson College / Skytech | Ahmed Al-Khabaz | Security flaws in Skytech’s Omnivox portals, used by schools | Found vulnerability that exposed 250k student records, brought it to attention of college. Did not try to conceal his identity, did not misuse the information, did not try to profit. Skytech threatened to press charges and send him to jail if he did not sign an NDA. |
| 2012-10-25 | (unknown international utility) | Ralph Langner | Nuclear power plant vulnerabilities (SCADA) | Talk was cancelled last minute at the 12th ICS Cyber Security Conference An unnamed vendor objected to the talk on the grounds that “the review would disclose problems in its equipment” and threatened to sue, “even though plant officials had approved the presentations”. This is one of two talks cancelled at the conference according to the conference organizer. |
| 2012-05-28 | E-Soft (UK) | Eric Romang | Video of Metasploit Digital Music Pad SEH overflow exploitation module | E-Soft sent a bogus copyright claim to YouTube to have the video removed. It has been reposted to the same site once by another individual. The video remains available, and there have been no reported attempts to silence news of the exploit in other manners. |
| 2012-01-31 | Smart Grid/Meter Vendor (unspecified) | Don Weber / InGuardians | Smart Grid Meter Security Assessment Tool Release | Researcher cancelled the talk last minute, citing the desire to work with the vendor. Note: a reliable source tells Attrition that InGuardian did not reach out to the vendor until weeks after the ShmooCon CFP. Further, Weber says there was no vulnerabilities being disclosed, suggesting that InGuardian may have cancelled the talk when the unspecified vendor agreed to become a client. |
| 2011-11-22 | Carrier IQ | Trevor Eckhart | Carrier IQ software logs excessive information | Carrier IQ threatens Eckhart and sends a cease & desist letter. Shortly after negative attention, Carrier IQ retracts the threat. Research stays public. |
| 2011-10-13 | First State Superannuation | Patrick Webster | Direct Object Reference vulnerability in FSS website | Researcher received letter indicating FSS reported him to the police and threatened him with further legal action. After negative publicity, First State Super withdraws legal threat. |
| 2011-08-01 | Trans Link Systems | Brenno de Winter | OV Transit Payment System Vulnerabilities | Researcher learned he may have been facing legal charges. Vendor statement says a criminal complaint was filed and researcher was questioned, but researcher was not the target of the complaint. Instead, the Netherlands government took legal action against Brenno, a journalist, for covering the issue. More information. |
| 2011-04-27 | Magix AG | Acidgen | Buffer overflow in Music Maker 16 software (version 16.0.2.4) | Research published despite threat. Researchers convinced Magix to change stance on vuln handling. Magix opened a resource for security researches site, but try to force researchers not to disclose w/o a patch or fix available, in their terms and conditions. |
| 2011-03-21 | German telecommunications firm (unspecified) | Thomas Roth | Amazon EC2-based password cracking software | Roth’s apartment was raided, his bank account frozen, and he had to refrain from releasing his tool during Black Hat. Injunction had since been revoked, Roth published the research. |
| 2010-08-22 | Indian Police (Mumbai) | Hari Prasad | Vulnerabilities in Electronics Corporation of India (ECIL) Electronic Voting Machines | A paper released in April of 2010 by eight researchers, four who live in India, outlined vulnerabilities in the EVMs used by the Indian government for elections, despite repeated claims that they were “tamper-proof”. On August 22, 2010, Police officers from Mumbai drove 14 hours to Hyderabad and arrested Hari Prasad. He was not charged initially, and told him that they were under “pressure [from] the top”. He was told if he gave up the anonymous source that provided an EVM to the team for their research he would be left alone. After seven days in jail, and being denied bail due to medical conditions once, Prasad was finally released on bail. The research paper and web site outlining Indian EVM problems remains public. |
| 2010-07-26 | Financial Industry Client (unspecified) | Varun Uppal and Gyan Chawdhary | High-Speed Trading System Hacks | Due to financial pressure (i.e. loss of a client), the talk was pulled and not presenter anywhere else. |
| 2010-07-15 | Taiwanese Government | Wayne Huang, Armorize Technologies Inc. | The Chinese Cyber Army: An Archaeological Study from 2001 to 2010 | Two weeks before the conference, the talk was cancelled due to “pressure from the Taiwanese government.” |
| 2009-07-18 | RSA | Scott Jarkoff | Navy Federal Credit Union Web Site Flaws | SliceHost / TechMiso challenges RSA, RSA backs down |
| 2009-07-17 | Comerica Bank | Lance James | XSS / Phishing vulnerabilities on Comerica site | C&D Sent to Tumblr, information removed but vulnerability still present (2009-07-17) |
| 2009-06-06 | Orange.fr | HackersBlog | Multiple Vulnerabilities [1] [2] | Apparent legal threats, details not published. |
| 2008-08-13 | Sequoia Voting Systems | Ed Felten | Voting Machine Audit | Research still not published (2008-10-02) |
| 2008-08-09 | Massachusetts Bay Transit Authority | Zach Anderson, RJ Ryan and Alessandro Chiesa | Electronic Fare Payment (Charlie Card/Charlie Ticket) | Gag order lifted, Researchers hired as consultants by MBTA |
| 2008-07-09 | NXP (formerly Philips Semiconductors) | Radboud University Nijmegen | Mifare Classic Card Chip Security | Research Published |
| 2007-12-06 | Autonomy Corp., PLC | Secunia | KeyView Vulnerability Research | Research Published. Apparently, Autonomy also threatened CORE as well but it was not made public, yet the information was shared with others. |
| 2007-07-29 | U.S. Customs | Halvar Flake | Security Training Material | Researcher denied entry into U.S., training cancelled last minute |
| 2007-04-17 | BeThere (Be Un limited) | Sid Karunaratne | Publishing ISP Router Backdoor Information | Researcher still in talks with BeThere, passwords redacted, patch supplied, ISP service not restored (2007-07-06) |
| 2007-02-27 | HID Global | Chris Paget/IOActive | RFID Security Problems | Talk pulled, research not published |
| 2007-??-?? | TippingPoint Technologies, Inc. | /David Maynor / ErrataSec | Reversing TippingPoint rule set to discover vulnerabilities | Bulk of research later published at BlackHat Briefings 07. |
| 2006-09-02 | SimpleBlog | Vipsta & MurderSkillz | Reporting of an SQL injection to a vendor resulted in immediate, “legal threats.” | In 2006, two researchers named Vipsta & MurderSkillz produced a Proof of Concept on exploit-db.com which affected a popular Drupal theme named SimpleBlog. At the time, the vendor 8pixel.net (now http://www.thirstysix.com/ apparently threatened legal action on the same day as the report being reported to them. Two days later the, “Exploit [was] Released with no details to vendor.” |
| 2005-07-29 | Cisco Systems, Inc. | Mike Lynn / ISS | Cisco router vulnerabilities | Resigned from ISS before settlement, gave BH presentation, future disclosure injunction agreed on. Full details on Wikipedia. |
| 2005-03-25 | Sybase, Inc. | Next-Generation Security Software | Sybase Database vulnerabilities | Threat dropped, research published |
| 2003-09-30 | Blackboard Transaction System | Billy Hoffman and Virgil Griffith | Blackboard issued C&D to Interz0ne conference, filed complaint against students | Confidential agreement reached between Hoffman, Griffith and Blackboard |
| 2003-02-05 | Epic Games | Luigi Auriemma / PivX Solutions | Vulnerabilities in Unreal game engine | Thor Larholm of PivX outlines the story in a post to the Bugtraq mail list. The same day, Mark Rein of Epic Games replies to Thor apologizing for the legal threat, calling them a “moment-of-stupidity reaction”. Sam Varghese of smh.com.au summarizes the story in an article. |
| 2002-07-30 | Hewlett-Packard Development Company, L.P. (HP) | SNOsoft | Tru64 Unix OS vulnerability - DMCA based threat | Vendor/researcher agree on future timeline, Additional Tru64 vulnerabilities published, HP asks Neohapsis for OpenSSL exploit code shortly after |
| 2001-07-16 | Adobe Systems Incorporated | Dmitry Sklyarov & ElcomSoft | Adobe eBook AEBPR Bypass | Elcomsoft found Not Guilty |
| 2001-??-?? | Tegam International Viguard Antivirus | Guillaume Tena (Guillermito) | Vulnerabilities in Viguard Antivirus | Suspended fine of 5,000 Euros |
| 2001-04-23 | Secure Digital Music Initiative (SDMI), Recording Industry Association of America (RIAA) and Verance Corporation | Ed Felten | Four Watermark Protection Schemes Bypass - DMCA based threat | Research published at USENIX 2001 |
| 2000-08-17 | Motion Picture Association of America (MPAA) & DVD Copy Control Association (DVD CCA) | 2600: The Hacker Quarterly | DVD Encryption Breaking Software (DeCSS) | DeCSS ruled ‘not a trade secret’ |
Notes about this page:
- Companies that broadly use the DMCA may not be included. This page focuses on companies that specifically use legal threats to stifle security research.
- Many companies may use financial threats to stifle research, threatening to pull funding, support contracts or influence customers. There is an arguably fine line between legal threats (costly) and financial threats (also costly). These may be included if they can be properly documented.
- Companies that fire off Cease & Desist (C&D) letters but do not follow-up will be included here if applicable.
The following incidents are either not confirmed as legal or financial threats, or are confirmed and still cross the line to some degree. They are being included here in the hopes that someone will come forward with additional information or clarification.
| When | Company making threat | Researchers | Research Topic | Resolution/Status |
|---|---|---|---|---|
| 2013-04-30 | Wowza Media Systems | Michal J. | Vulnerabilities in the media server’s authentication | The vulnerabilities were reported to the vendor who threatened to “reevaluate” the researcher’s independent consultant status as well as other indirect threats. The vulnerabilities were disclosed after the vendor refused to provide a remediation plan. The researcher has terminated their participatin in the vendor’s consultant program. |
| 2008-10-24 | Charlie Miller | Vulns in T-Mobile Google Phone | Researcher Charlie Miller discovered vulnerabilities in a Google-based phone sold by T-Mobile, who notified Google who downplayed the issue. Years later, Miller disclosed that Google went after him via his employer. When asked for details, he clarified that it was not a legal threat, but a lecture on “responsible disclosure” to his boss at the time. | |
| 2008-08-01 | Apple | Charles Edge / 318 Inc. | FileVault encryption system weaknesses | NDA between Edge/Apple existed already, Apple called Edge on it. Researcher “rescinded talk” but BH CFP team shows no record of talk being submitted in first place. Attrition Theory: Incident used as press fodder for 318/Edge attention. |
| 2006-12-07 | Oracle Corporation | Argeniss | Week of Oracle Bugs (WoOB) | WoOB cancelled, rumors of financial/legal threats |
The following incidents are related to the ones above, but “cross the line”. They include incidents where it was not “security research”, but rather activity that was considered a crime by current laws (at the time). Instead of following a more ethical approach or going the route of responsible disclosure, the researcher chose to research and disclose the details in a manner that was questionable. While the threat of law suit of such activity is frivilous to most, the companies are being prudent because the researcher in question likely did break laws in the process.
| When | Company making threat | Researchers | Research Topic | Resolution/Status |
|---|---|---|---|---|
| 2010-08-23 | n/a | Hari Prasad, Netindia | Voting Machine vulnerability research | Prasad arrested, machine given to him was apparently stolen |
| 2008-09-12 | Carleton University | Mansour Moufid | Used keylogger to expose student information | Moufid charged with computer crime |
| 2006-04-28 | University of Southern California | Eric McCarty | Database programming error allows disclosure of student SSN and more | McCarty charged with computer crime |
| 2003-08-18 | Tornado Development, Inc. | Bret McDanel | Secure Webmail Session Hijacking discovery | Arrested, tried, convicted and sentenced to 16 months of prison time |
| 2002-03-18 | Harris County District Court | Stefan Puffer | Insecure wireless network discovery | Faces 5 years and $250,000 fine. The jury deliberated for 15 minutes before acquitting Puffer. |
Over the years, many talks have been cancelled for various reasons. Sometimes, the rumor of legal threats dominate the venue and/or news, but never happened. This table will list such events, to help clarify what happened. As time allows, any case of a security talk being cancelled will be added.
| When | Company making request or threat | Researchers | Research Topic | Resolution/Status |
|---|---|---|---|---|
| 2012-10-19 | Hewlett-Packard | Kurt Grutzmacher | Huawei / H3C router vulnerabilities | Grutzmacher coordinated disclosure via US-CERT in August. Days before Toorcon 2012, HP sent a polite request for him to cancel, saying patches were not ready. Grutzmacher cancelled his talk. Two days later, HP released the patch, casting doubt over their intention behind the request. |
| 2012-10-10 | (none) | Pirate Bay founders Peter Sunde and Fredrik Neij | Talk titled “Data is Political” | Neij’s lawyer advised his client not to travel to a highly visible public conference centered on hacking. Sunde was reportedly too ill to travel. |
| 2012-07-29 | (unknown) | Sergey Gordeychik / Denis Baranov, Positive Technologies | SCADA vulnerabilities including Siemens | The talk “SCADA Strangelove: How I Learned To Start Worrying And Love The Nuclear Plants” was cancelled a week before the conference and replaced with a different SCADA talk by another person not affiliated with Positive Technologies. No confirmation as to why, speculation is the talk was pulled due to vendor pressure. |
| 2012-01-31 | Smart Grid Meter Vendor (unnamed) | Don Weber / InGuardians | Smart Grid Vulnerabilities | Was asked to pull talk from ShmooCon 2012, complied. Presented later at BSidesLV 2012. |
| 2011-08-16 | (none) | Riley Hassel / Shane Macaulay | Google Android Vulnerabilities | BlackHat Briefings Las Vegas 2011 Hassel/Macaulay scheduled to give “Hacking Android for Profit” talk at BlackHat Briefings Las Vegas 2011. Neither presenter showed for their talk. Subsequent articles point out that Google said “The identified bugs are not present in Android”, and that the presenters backed out in “fear criminals would use it attack Android phones”. In another work, Hassel said “that some of their work may have replicated previously published research, and they wanted to make sure they properly acknowledged that work.” |
| 2011-05-18 | Siemens / Department of Homeland Security (DHS) | Dillon Beresford / NSS Labs | SCADA vulnerabilities | TakeDownCon 2011 talk titled “Chain Reactions - Hacking SCADA” was cancelled by Beresford after concerns from Siemens/DHS were expressed. Beresford said “DHS in no way tried to censor the presentation.” |
| 2010-07-15 | Taiwanese / Chinese agencies (unnamed) | Wayne Huang, Armorize CTO | Analysis of China’s government-backed hacking initiatives | Talk pulled from BlackHat Briefings 2010 in Las Vegas, announced by Caleb Sima, Armorize CEO on Twitter. An earlier version of the talk was given to a small conference in Taiwain in 2007. |
| 2010-06-29 | ATM Vendors (unnamed) | Raoul Chiesa | ATM Vulnerabilities | Initial reports said that Chiesa was threatened by ATM vendors and forced to cancel last minute. according to Chiesa, no threats were made. The talk was cancelled for “logistical issues that day”. Some in the industry have classified this as a publicity stunt, to garner more attention for the talk at a subsequent date. |
| 2009-06-30 | ATM Vendors (unnamed, presumed Triton) | Barnaby Jack / Juniper Networks | ATM Vulnerabilities | BlackHat Briefings Las Vegas 2009 talk cancelled by Juniper after ATM vendor expressed concerns about disclosure before customers were fully protected. Information published at BlackHat 2010. |
| 2008-07-02 | Apple | Unamed ‘Apple Insiders’ | Apple Security Response Team | According to Trey Ford, BlackHat general manager, a panel of Apple insiders were to have a panel to discuss “the company’s security-response team”. When Apple’s marketing department heard, the panel was abruptly cancelled. |