That security patch your product needs? Sorry, we’ve patented it

Another new way to bring the idea of software patents into disrepute, per eWeek/SecurityWatch: Security researchers, are you tired of handing your vulnerability discoveries over to your employer, as if that were what you’re paid to do? Helping vendors securing their products—for free—so that their users won’t be endangered by new vulnerabilities? Showing your hacking […]

Another new way to bring the idea of software patents into disrepute, per eWeek/SecurityWatch:

Security researchers, are you tired of handing your vulnerability discoveries over to your employer, as if that were what you’re paid to do? Helping vendors securing their products—for free—so that their users won’t be endangered by new vulnerabilities? Showing your hacking prowess off to your friends, groveling for security jobs or selling your raw discoveries to middlemen for a fraction—a pittance—of their real value?

Take heart, underappreciated, unremunerated vassals, for a new firm is offering to work with you on a vulnerability patch that they will then patent and go to court to defend. You’ll split the profits with the firm, Intellectual Weapons, if they manage to sell the patch to the vendor. The firm may also try to patent any adaptations to an intrusion detection system or any other third-party software aimed at dealing with the vulnerability, so rest assured, there are many parties from which to potentially squeeze payoff.

Intellectual Weapons is offering to accept vulnerabilities you’ve discovered, as long as you haven’t told anyone else, haven’t discovered the vulnerability through illegal means or have any legal responsibility to tell a vendor about the vulnerability.

Also, the vulnerability has to be profitable—the product must be “highly valuable,” according to the firm’s site, “especially as a percentage of the vendor’s revenue.” The product can’t be up for upcoming phaseout—after all, the system takes, on average, seven years to churn out a new patent. The vendor has to have deep pockets so it can pay damages, and your solution has to be simple enough to be explained to a jury. …

The firm says it “fully [anticipates] major battles.”

(“New Firm Eager to Slap Patents on Security Patches”, Jun. 7; Slashdot thread).

5 Comments

  • Let me see if I have this right. If you find a flaw in a company’s software and know how to fix it, these guys want to patent the fix so that the software company has to pay them royalties or else they will sue. You have got to be kidding me! Will this stand up in court?

  • One would think that once one is aware of a vulnerability, how to fix it and how to detect it would be obvious.

    I think recent Supreme Court precedent pretty much closes off the counter-argument “sure it’s obvious how to fix it, but why would anyone make that change unless they knew of the vulnerability”. These “why” or “motivation” type questions are no longer relevant to the question of obviousness.

  • Until fairly recently it was assumed that software was not subject to patent in the United States. The granting of software patents began as the result of a lower court decision, without any change in legislation. To my knowledge the Supreme Court has never ruled on this question. It is therefore an open question whether such patents would be enforceable.

  • Talk about playing Russian Roulette. Intellectual Weapons has stated that they are prepared to take this issue to court. With the unpredictability of the US Court system, I don’t think that anyone will challenge them. I don’t see where this is any different than extortion.

  • Almost anything that can be done can be done in software. It’s hard to imagine how software, regardless of what it did or how it did it, could not be subject to patent.

    Software is no different from a precise sequence of instructions. Name an invention that can’t be implemented in the form of a precise sequence of instructions (and something capable of following them)?