Security solution provider Secunia, which is also well-known for publishing vulnerability reports, has drawn the ire of Autonomy over publication of historic security advisories.
Late last month, Core Security Technologies revealed a vulnerability in IBM Lotus Notes, which uses Autonomy's Verity KeyView SDK. JJ Reyes, security researcher at Secunia, then sent email messages to Autonomy asking for input before publishing a historic advisory to document the problem since various versions of the SDK are used in other products, such as those from Symantec. Secunia wanted to know which versions of the SDK are affected and which versions contain related fixes.
Joe Scott, General Counsel at Autonomy, apparently delivered a stern response that Secunia interprets as not-so-veiled legal threats. Secunia published its electronic conversation with Autonomy, and according to the documents, Autonomy feels that the publication of another advisory isn't necessary and that doing so could harm the company's reputation. Similar advisories are already posted at Security Focus, which is owned and operated by Symantec, and at ISS, which is owned and operated by IBM. The fact that both IBM and Symantec are Autonomy customers was not lost on Secunia.
Thomas Kristensen, CTO at Secunia, responded to Scott by writing, "There is absolutely nothing misleading about publishing an advisory documenting 'historic' issues; in fact it would be misleading to conceal such facts." Autonomy then volleyed back by reiterating its demand that Secunia not publish the advisory.
Where the matter will go from here is still unknown. Regardless Secunia stands firm behind its advisory publication methods. The company has since published its thoughts on the matter in its blog, which also includes links to the correspondence between itelf and Autonomy.