Cisco And Security Researcher Agree To Disagree

Security researcher Michael Lynn and Cisco Systems have reached an agreement that should put an end to Cisco’s legal action against Lynn for speaking publicly about a flaw in the company’s router software. Lynn, who until Wednesday was employed by Internet Security Systems (ISS), gave a presentation at the Black Hat Conference discussing the vulnerability. Cisco and ISS had discouraged Lynn from giving the presentation, saying that a patch had been issued for the flaw. Lynn believed Cisco had not been open with consumers about the severity of the problem, and he resigned from ISS to protest the company’s position that he should not give the presentation. After he left ISS, however, Lynn faced legal action from Cisco, which argued that he had no right to make the presentation since he was no longer employed by ISS. Under the agreement, Lynn will stop disclosing information about the flaw, and the legal action will be canceled. Computer security expert Bruce Schneier applauded Lynn for his conviction in exposing what he thought was a serious flaw despite the risks of going public.

Matt Bishop, professor of computer science at the University of California-Davis, said he sees the practice of exposing flaws publicly as a dangerous practice and that working with the affected vendor is preferable.

San Jose Mercury News, 29 July 2005