First published: 07th November 2012
Less than two months after an embarrassing self false-positive, Sophos is again explaining its products failings. The current incident actually started earlier, on 10th September 2012, when Tavis Ormandy, a security researcher with Google, contacted Sophos to report six vulnerabilities in Sophos' security products. A month later, Mr Ormandy provided Sophos with information on two more vulnerabilities. Sophos worked on fixing the problems and updated users with fixes for seven of the problems between 22nd October and 5th November. Mr Ormandy then published his analysis, followed by Sophos issuing their own article, both on 5th November. A fix for the eighth problem is expected on 28th November.
Yui Kee's Chief Consultant, Allan Dyer, commented, "This is how responsible disclosure is supposed to work. An external researcher found vulnerabilities and gave the developer the opportunity to fix them before publishing. The developer made use of the opportunity, fixed the issues, and courteously let the researcher publish first. Both acted together for the protection of users."
However, not all is sweetness and light between Mr Ormandy and Sophos. In 2010, Sophos accused Mr Ormandy of irresponsible disclosure and in the current incident the blog postings make it clear that he and Sophos differ in their opinion of the quality of the products.
Dyer commented, "Responsible disclosure benefits everyone, but some friction between external researchers and developers is to be expected as the approach the issue from different angles. So long as it is kept polite, the friction can be beneficial, as it prevents complacency. We should all remember the common enemy are researchers that exploit their findings for dishonest gain."