Munich-based ESNC published a security advisory last week detailing how a remotely exploitable bug in a security tool, developed by auditing and tax giant PwC, could allow an attacker to gain unauthorised access to an affected SAP system.
It was all fairly bog standard. The researchers contacted and met with PwC in August to discuss the scope of the flaw. As part of its responsible disclosure policy, the researchers gave PwC three months to fix the flaw before a public advisory would be published.
When it didn’t, ESNC published an advisory which said that the flaw mean that an attacker could "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions... which could result in fraud, theft or manipulation of sensitive data," as well as the "unauthorized payment transactions and transfer of money."
Three days later, the corporate giant responded with legal threats. ESNC said that this was the first time his company had submitted a vulnerability report to PwC, but it was also the first time that his company received a legal threat.
According to ZDNet PwC demanded the researchers "not release a security advisory or similar information" relating to the buggy software. The legal threat also said that the researchers are not to "make any public statements or statements to users" of the software.
In an email, a spokesperson for PwC acknowledged the existence of the vulnerability and confirmed that it had been fixed.
However, the corporate giant argued that ESNC shouldn't have had access to the software in the first place, as it wasn't a licensed partner.
The spokesperson also said in separate prepared statement: "The code referenced in this bulletin is not included in the current version of the software which is available to all of our clients."
"The bulletin describes a hypothetical and unlikely scenario -- we are not aware of any situation in which it has materialised," the spokespersons insisted.