advisory or similar information" relating to the flawed

               software and were not to "make any public statements or
               statements to users" of the software.


               According to PwC (8,9):


                   -  "Using the proprietary ACE software, we perform

                       diagnostics of SAP’s. inherent risks and backdoors (such
                       as configuration, customization and security settings)

                       which could be exploited to commit fraud";

                   -  "The purpose of this tool is to analyze SAP security

                       settings and identify privileged access and potential
                       segregation of duties issues accurately and efficiently";

                       and

                   -  "The ABAP files introduce no changes to the production
                       systems and settings".





               ESNC told PwC that they would publicly disclose their

               findings once the three-month window expired, which was
               in line with industry standard disclosure practices.


               PwC didn’t respond, other than to issue a second cease-and-

               desist letter.


               Undeterred, ESNC released a security advisory (4) a little
               over two weeks later detailing how a remotely exploitable

               bug in the security tool, developed by PwC, could allow an

               attacker to gain unauthorized access to an affected SAP
               system. It could also allow an attacker to add a backdoor to

               the affected server:


                       "manipulate accounting documents and financial

                       results, bypass change management controls, and
                       bypass segregation of duties restrictions... which could