Patenting Security Fixes – Dumbest Idea Ever?

I saw an article today about what must be the dumbest idea ever.  I hate to get them any more free publicity, but this was too ridiculous to pass up.

Apparently this firm wants crackers to tell them about 0days they find so that they can jointly develop and patent a fix.  They then want to license that fix to the original software vendor and sue anyone who uses knowledge of the fix without a license.

Now I am not a lawyer and I am certainly not an intellectual property lawyer, but I do know (or at least Wikipedia told me) that patents have to be:

  • New
  • Inventive
  • Useful or industrially applicable

Let’s look at those in reverse order.  Useful or industrially applicable would be pretty easy to demonstrate.  Fixes to security bugs are certainly helpful in maintaining system security and industry requires security these days.  Great work, Intellectual Weapons.

Inventive is going to be a tough one.  This is also described as non-obvious.  If you look at most buffer overflow flaws in applications the fix consists of “replace gets() with fgets().  That isn’t terribly inventive, nor non-obvious.  Some more subtle bugs might need to have more involved fixes, I suppose, but the most common security flaws have pretty standard fixes and unless whole new algorithms had to be invented I don’t suspect these fixes will be terribly inventive.

Finally “new” is a real killer for this idea.  As mentioned above, there are plenty of examples and patterns for fixing security bugs so there is going to be a tremendous amount of prior art out there.

They have an FAQ with all sorts of answers why the glaring flaws in their idea can be worked around but most of this looks like bunk.  I have dealt with the US Patent and Trademark Office before and they are almost unbelievably slow.  Even their simple and expedited services are too slow for this idea to be workable.

This has to be a hoax.  It did serve to get me all riled up on a Friday, though.  Bravo!

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *