It’s hard to turn on the news without hearing about yet another high-profile ransomware attack or data breach impacting our nation’s security, supply chains, and infrastructure.  Indeed, experts estimate that between 2019 and 2020, ransomware attacks rose by 62 percent worldwide, and by 158 percent in North America alone.¹

The recent and dramatic rise in cyber-attacks is particularly difficult to ignore for those responsible for securing critical software systems, who are frantically trying to avoid becoming the next cyber-security headline.  It is no surprise then that President Biden’s Executive Order on Improving the Nation’s Cybersecurity (May 12, 2021) calls for immediate action to counter the “persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.”²

What is less publicized, however, is the complex world of both public and proprietary cyber-security systems known as “vulnerability databases” that aim to secure the reusable software components we rely on.  This article provides an introduction to vulnerability databases and shines a light on some pending litigation that could have a big impact on the cyber-security industry.

One way hackers can gain access to sensitive systems is by exploiting a security vulnerability, or bug, in the software.  The National Vulnerability Database (NVD) is a U.S. government-sponsored repository of standards-based vulnerability management data managed by the National Institute of Standards and Technology (NIST).³ The NVD includes a free, open database of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics—information that can be used to identify and remediate critical vulnerabilities in reusable software.⁴  Software vendors can use this information to publish patches or issue configuration guidance to NVD itself if necessary.  However, there has been a long-standing gap between the number of vulnerabilities discovered and those tracked in NVD. Some estimate that there are between 30 - 50% more known vulnerabilities than those that are identified in NVD, and many entries are estimated to be inaccurate or incomplete.⁵ Thus, organizations tend to struggle to keep their software secure through NVD alone.

Most of the information in NVD comes from the Common Vulnerabilities and Exposures (CVE) Program, which is a related, government-sponsored program.⁶  In order to ensure the integrity of the vulnerability identification process, only an exclusive set of organizations—called CVE Numbering Authorities, or CNA’s—are invited to report, verify, and maintain this publicly accessible information on identified vulnerabilities.⁷

Typically, CNA’s are software vendors that focus on assigning identifiers (CVE ID’s) to newly discovered vulnerabilities within software they have developed (e.g., Red Hat identifies “vulnerabilities in open-source projects affecting Red Hat offerings …,” and Microsoft covers “Microsoft issues only.”).⁸ It is in the software vendor’s best interest to publicly report vulnerabilities so that downstream users of their software are put on notice and can take remedial measures.

Recently, however, the NVD and CVE sponsors appointed Synopsys Software Integrity Group (SIG) as a CNA—i.e., an entity responsible for reporting vulnerabilities to the free and publicly accessible CVE and NVD vulnerability databases.⁹ This is notable because of Synopsys SIG’s affiliation with Synopsys’ wholly-owned subsidiary Black Duck Software, which provides a proprietary vulnerability database and source code scanning and auditing products focusing on embedded open source software.¹⁰

Synopsys SIG’s public vulnerability reporting obligations as a CNA may create a tension with Black Duck’s proprietary vulnerability database. Synopsys’ reporting responsibilities include “vulnerabilities in third-party software discovered by Synopsys SIG that are not in another CNA’s scope,” which could potentially include proprietary vulnerability information.¹¹ And Synopsys recently suggested that it may already be contributing some of its proprietary “research” on vulnerabilities to CVE/NVD as a responsible CNA and “good steward of the broader software ecosystem.”¹² In fact, Synopsys states that it will help CVE and NVD to “close that gap” of 30-50% in unreported vulnerabilities.13

These statements caught the attention of Risk Based Security Inc., (RBS) who licensed its allegedly proprietary vulnerability database called “VulnDB” to Black Duck in 2015 for use in the Black Duck Hub cloud scanning suite.¹⁴ RBS is currently engaged in two lawsuits with Black Duck and Synopsys over the origin and ownership of Black Duck’s purportedly proprietary vulnerability information.  First, in 2018, RBS filed a lawsuit against Black Duck in Massachusetts state court alleging that Black Duck was infringing its trade secret security vulnerability information from RBS’s VulnDB through a product called Black Duck Hub.¹⁵ Many of the filings in this case are sealed, but it appears that Black Duck is challenging the proprietary nature of the information in VulnDB, contending that it is not protectible trade secret information because it was assembled from public data sources.¹⁶  

More recently, in response to Synopsys’ statements about disclosing potentially proprietary vulnerability information to “close that gap” in reported vulnerabilities, RBS allegedly sent a cease and desist letter asking Synopsys “to refrain from identifying vulnerabilities to CVE” reporting vulnerabilities to CVE/NVD.¹⁷ In response, Synopsys filed a declaratory judgment action in the Eastern District of Virginia asserting, inter alia, that VulnDB is not RBS’ trade secret and that Synopsys did not misappropriate VulnDB.¹⁸  RBS filed a motion to stay this more recent federal litigation pending resolution of the overlapping trade secret matters in Massachusetts state court, but that motion was denied in a minute order on July 20, 2021 with an opinion to issue in the near future.¹⁹

The currently pending disputes between RBS and Synopsys/Black Duck could have significant impacts for the cyber-security world and vulnerability databases in general.  On the one hand, vulnerability information can be efficiently disseminated to downstream software users if consolidated in one publicly available repository. However, eliminating proprietary restrictions on use of that information may dis-incentivize discovery and tracking of vulnerabilities at a critical time.  These cases could provide insight into how vulnerability information is treated under U.S. intellectual property law. 

ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.