HP asks researcher not to publish security vulnerabilities
Kurt Grutzmacher has identified security vulnerabilities in network equipment from Huawei and H3C, details of which he had planned to publish at this weekend's Toorcon 14 security conference. Two days before the conference, H3C's owners, HP, contacted him with a "cordial and apologetic" voicemail and email asking him to refrain from doing so.
It can only be concluded that, at the very last minute, HP must have come across some unexpected new information that forced the urgent extension of a mutually agreed 45-day non-disclosure period – as Grutzmacher puts it on his blog, "I'm guessing somebody woke up on Tuesday morning and went 'Oh hell, is Toorcon this Saturday?'"
Grutzmacher discovered the vulnerabilities in July and reported them in August, roughly in parallel with Felix Lindner's (FX) presentation on vulnerabilities in Huawei routers at Defcon. He assessed his independently discovered vulnerabilities as critical and had planned to present workarounds enabling affected users to mitigate the risks in his presentation. All of this was known to the companies involved.
Not without a hint of derision, the frustrated conference presenter explains that the vulnerabilities were "apparently too big" to be published at present. He goes on to explain that he was strongly advised by other parties to agree to postpone disclosure. Who these other parties were, he does not divulge. His main employment is, though, as a network consulting engineer at Cisco. He encourages people looking for more information related to the case, or to the security vulnerabilities in H3C products, to get in touch with HP's PR contact.
HP has previous form in the disclosure business. The Zero Day Initiative (ZDI), which was acquired by and is now part of HP, delayed the publication of details of multiple vulnerabilities with the maximum vulnerability score of 10 until September 2012, over a year after notifying HP. ZDI normally gives a company six months to fix vulnerabilities reported to it before publication. HP appears to have approached this deadline without fear or fixes.