A view through the transparent glass floor of Spinnaker Tower, Portsmoth U.K. (Janderk1968, CC BY-SA 3.0 https://creativecommons.org/licenses/by-sa/3.0, via Wikimedia Commons)

A newly founded alliance is encouraging cybersecurity vendors to eliminate language from their license agreements that restrict end users from publishing reviews and product comparisons or benchmarks.

The organization, Transparency in Cybersecurity, officially launched last week with a website featuring an analysis of 200 cyber solution providers’ end user license agreements (EULAs). Of this sampling, 42% of companies had clauses that in some fashion prohibit users from publicly disclosing assessments of their products. Public companies tended to be less transparent, with 53% featuring restrictions in their EULAs, compared to just 39% of private companies.

The 120 vendors with no EULA restrictions were named to Transparency in Cybersecurity's Honor Roll, available for review here.

The four founding members of the group are Avi Shua, co-founder and CEO of cloud security firm Orca Security; Morey Haber, chief information officer and CISO of privileged access management company BeyondTrust; Andy Ellis, former CSO at Akamai; and Joel Fulton, co-founder and CEO of asset management company Lucidum. In interviews with SC Media, each of these individuals reflected on their own personal experiences dealing with transparency in the vendor solutions space.

The four founders

Shua resolved to create Transparency in Cybersecurity shortly after his company in 2020 received a cease-and-desist letter from fellow competitor Palo Alto Networks, as a consequence of a product comparison that Orca had posted on its website.

“In cybersecurity marketing there are too [many] words and too little content. There is marketing that explains why the product is so great… without showing what it actually does,” said Shua. “So we decided to take an approach of… showing the actual results of installing different tools – as a valuable resource for people to assess.”

No doubt, many vendors would love to differentiate themselves in their marketing by demonstrating capabilities that their competitors don’t have. But Palo Alto’s cease-and-desist letter claimed that Orca engaged in the unauthorized use of its products and trademarks, and that the web posting constituted a violation of its terms of usage and its EULA, which prohibits end user from “disclosing, publishing or otherwise making publicly available benchmark, performance or comparison tests.”

Granted, competing vendors could justifiably argue that their rivals might not be the most objective evaluators of their products. But according to Shua, even third-party, independent reviewers are deterred from posting these kind of comparisons, for fear of possible legal action springing from restrictive EULAs.

Rather than acquiescing to its competitor’s demands and removing the content, Orca Security published a blog post defending its actions and calling for more transparency.

SC Media reached out to Palo Alto Networks for comment.

Shua told SC Media that in the wake of that confrontation, “we got tons of feedback that it's not only Palo Alto that has this clause. There are many other vendors that essentially tell their buyers, ‘You are not allowed to publish your views and you’re not allowed to publish benchmarks.’ And this creates a situation where the data is not transparent.”

In certain cases, there’s also a level of hypocrisy to such a stance. Transparency in Cybersecurity noted there were 27 companies with restrictive EULAs that didn’t allow public reviews, yet actively promoted unauthorized reviews of their products when they were positive in tone.

Ellis suggested that some companies are more than happy to allow the review if it’s glowing, but want to hide bad reviews if their product isn’t particularly effective.

“Imagine if you went to go buy a car, and you know the only cars that there are no reviews on are the ones that are the most dangerous to drive. That would be an awful situation,” said Ellis.

Fulton at Lucidum told SC Media that his frustration with a lack of transparency in the cyber market dates back to when he was director at Symantec’s Global Security office from 2010-2015. Instead of feeling frustrated from a marketing perspective, he grew irritated as a consumer and user of products.

“I evaluated competing products in different categories, and was unable to do apples-to-apples comparisons because the results of testing were not made known,” he said. “The ability to get to facts has become more important and more valid when it comes to a buying decision.”

A third interested party in all of this is the insurance industry, Fulton noted, as cyber insurance providers would ideally like to ascertain which of its policyholders are using the most trusted and effective infosec solutions. Some of these providers have even tested the concept of lowering payments if their clients download specific tools and configure them as recommended.

“But what does it mean to configure them according to that standard? Nobody [knows], because… security companies didn’t divulge the results of testing,” said Fulton. “So the insurance company's ability to understand the data necessary to set the correct premium discounts for the deployment of that tool [is] missing.”

It’s not just a matter of publishing reviews and comparison results. The act of pentesting a product – even for internal usage only – could similar violate terms of service as spelled out by certain EULAs, the Transparency in Cybersecurity members noted.

“Many of the products I use… I'm not able to pentest, reverse-engineer or even write a security review about because of their EULAs,” said Haber. “They have explicit statements that say, ‘You will not do a pentest.’ Or even if I sell it to an end user, they are not permitted to do a pen test.”

BeyondTrust does not want to restrict its own users in that way, said Haber, so the company decided several years ago to add into its EULA language that makes it clear that users can pentest the product – just so long as they provide advance notice so that any monitored activity doesn’t trigger a false-positive alert. “And then we kindly state, ‘Please follow responsible disclosure and let us know, so if it is something that needs to be patched, we'll patch it.” In the end, it will only “help make our products more secure.”

Ellis acknowledged that originally Akamai didn’t allow pentesting, mostly to avoid the false positive Haber referenced, but that policy later changed.

“Over a while I had come to this realization: These are my users. If they want to test and make sure it works, I really want them to do that, because if they hadn't installed it correctly, that's an important thing to learn,” said Ellis. The security team has spent “all this time talking about… the responsibilities of the researchers,” including the importance of coordinated vulnerability disclosure, “but what we didn't talk about was the responsibility of the vendors to make it amenable for a researcher to evaluate a product.”

A “cheerful revolution”

Transparency in Cybersecurity hopes to inspire additional vendors to have a similar change in heart by encouraging B2B user community to apply pressure on them. But first they need to be better education on the problem.

“The B2B buyers don't even realize this as a problem,” explained Ellis, who said it will be important to teach security practitioners to thoroughly read through their cyber solution contracts and ensure that vendors are not attaching any restrictive EULAs to them.

Additionally, the organization has created a form letter that security practitioners can send to members of the vendor community, recommending them to join the initiative and its cause.

Shua said that Orca Security even reached out to Palo Alto Networks directly, but the latter company held firm and has not removed the EULA language. However, the founders believe that vendors may be more open-minded, especially those who may have mistakenly incorporated restrictive language into their EULAs without any intention of hiding anyway. 

Indeed, some companies may have unknowingly adopted a “default illegal boilerplate that got put in either by a lawyer or product manager,” without really understanding the ramifications, said Ellis. In those cases, it might be easy to convince them to drop such language once they become aware of it.

“What we want to do is, first, find all those companies that didn't mean to do this, and help them correct it so they can be part of a better ecosystem,” said Ellis.

Shua said he could also envision at some point vendors who officially support transparency, earning an official certification or designation that might make them more appealing to prospective buyers.

He also would like to see product review websites include some kind of notice that specifies when a particular featured vendor is fully transparent and will allow reviews of its product, good or bad.

Fulton described the initiative as more of a “cheerful revolution” or “rebellion” against restrictive EULAs, rather than an attempt to twist arms with aggressive legal challenges.

“I've been in security for 25 years, and I know a lot of people who are buyers,” said Fulton, noting his goal is to “persuade and encourage” these buyers to consider transparency when evaluating and procuring future solutions, and to push for transparency as a stipulation when negotiating a new or renewed contract.

Fulton said that large vendor companies “may not care what I think – nor should they – but I bet they care when someone is spending $10 million a month. And that would be the customer. And I know that person. And so on renewal, that is the way to influence the vendor behavior that I am most passionate about.”

But for those vendors who still reserve the right to enforce their EULA’s anti-review clauses, the organization’s leadership asserts that such policies are not even legally enforceable – citing, for one, the Consumer Review Fairness Act, which bars businesses from prohibiting product reviews.

Still, the prospects of a civil lawsuit – or perhaps even criminal prosecution if a user’s pentest is interpreted as an unauthorized hack – might be enough to have a chilling effect on potential reviewers. As another potential weapon, vendors could also terminate a user’s service without granting a refund.

“The threat of legal action for an individual is problematic,” said Ellis. “Imagine your company gets a letter and they turn to you – the person who wrote the review – and says, ‘Why did you do this? You have to get out and defend us, because we didn't need this.’ Or ‘Go delete the review and apologize.’ So employees themselves are vulnerable in this uncertain world, because it's not clear that every employer is going to stand up and say, ‘That cease and desist isn't legal and we're just going to ignore it or fight it.’”