In case you missed the story, a British security research firm was prevented by Sybase legal threats last week from releasing details about Sybase security vulnerabilities. NGS Software Ltd. had discovered the flaws in Sybase's ASE database software last year but had delayed going public to give Sybase time to fix the problems. After Sybase released its patched version, however, it turned around and threatened legal action if NGS revealed the bugs. The basis of the threat is a censorship clause in the Sybase license agreement:

"Results of benchmark or other performance tests run on the Program may not be disclosed to any third party without Sybase's prior written consent."

While many have expressed outrage that Sybase would try to muzzle security information this way, some customers have actually sided with Sybase's argument that having details of the vulnerabilities revealed is not in their interest. Security researchers should, they argue, go public with this kind of information only if the software company refuses to fix the problems. Besides, NGS sells a Sybase vulnerability assessment tool, so doesn't that make their motives for all this bug-hunting suspect?

Well, it's certainly understandable why harried IT managers, faced with the endless need to install security patch after security patch, might sometimes wish the security researchers would just keep quiet. But NGS didn't create these bugs - it just found them. And it's a good thing NGS was motivated to do so, because there are also a lot of bad guys out there who are definitely motivated to ferret out security vulnerabilities as well, and next time they might get there first.

Speaking of motivations, I don't buy Sybase's claim that it only started brandishing its censorship clause to protect its customers. Trying to protect itself from a little embarrassment, and discouraging NGS from hunting for more bugs, were both probably higher on the Sybase legal department's agenda. Perhaps there was even a desire as to keep customers from checking whether Sybase's patches really did the trick?

And what other motivations might other software companies find in the future for invoking a censorship clause like this? After all, if reporting security bugs qualifies as "other performance tests" that can only be discussed with company permission, then all forms of criticism about a product's performance could be banned. The right to speak your mind cold ultimately just get lost in the sneakwrap. That's where the interests of Sybase customers, and the interests of customers of all software companies, really lie. So, while you still can, exercise your right to criticize the performance of your vendor of choice by writing me at Foster@gripe2ed.com or posting your comments below.