scanning their SAP systems, and for running code security

               analysis to reduce risks affecting critical business processes
               and data.





               ESNC discovered a flaw in software developed by

               PricewaterhouseCoopers (PwC) for SAP systems, the
               Automated Controls Evaluator (ACE), was affected by a

               critical, remotely exploitable, security flaw. ESNC contacted

               and met with PwC in August 2016 (see Timeline) to discuss

               the scope of the flaw. This was the first time they'd ever sent
               their research and findings to PwC.


               As part of its responsible disclosure policy, ESNC gave PwC

               three months to fix the flaw before a public advisory would
               be published.


               After hearing nothing for two weeks, ESNC contacted PwC

               again to check on progress. They didn’t get a response, but

               eight days later they received a cease and desist letter from
               PwC's lawyers. This was also the first time ESNC had ever

               been legally threatened for doing their job.



                Ertunga Arsal, chief executive of ESNC, said in an email -


                       "We believe in responsible disclosure,"


                       "We are a security company, which is publicly credited

                       by SAP and other companies for discovery of over 100
                       security vulnerabilities to date,".






               A portion of the cease-and-desist letter, said that PwC
               demanded the ESNC researchers "not release a security