Info Synopsys Took From Risk Based Security Doesn’t Meet ‘Trade Secret’ Definition
A federal appeals court affirmed that Synopsys didn’t steal any trade secrets from Risk Based Security by creating its own database of open-source code vulnerabilities.
The U.S. Court of Appeals for the 4th Circuit said the information that Silicon Valley-based Synopsys allegedly took doesn’t meet the definition of a trade secret since Richmond, Virginia-based Risk Based Security failed to prove it “[d]erives independent economic value” from keeping the data under wraps. The U.S. District Court for the Eastern District of Virginia ruled in Synopsys’ favor, which prompted Risk Based Security to appeal.
“RBS failed to put forward admissible evidence showing that the 75 alleged trade secrets had independent economic value,” U.S. Circuit Judge G. Steven Agee wrote. “Absent proof sufficient to satisfy that part of the statutory definition of a ‘trade secret,’ RBS could not prevail in a misappropriation-of-trade-secrets claim, and the district court properly granted summary judgement to Synopsys.”
Risk Based Security was acquired by Washington, D.C.-based Flashpoint in January 2022. Flashpoint declined an Information Security Media Group request for comment. The original trade secret theft allegations involved Black Duck Security, which was bought by Synopsys for $547 million in 2017. Synopsys grew its software integrity revenue to $465.8 million in its most recent fiscal year, up 18.3% from the year prior (see: Synopsys Extends Lead in Gartner MQ for App Security Testing).
How We Got Here
Risk Based Security acquired publicly available vulnerability database VulnDB in 2011 and entered into a licensing agreement with Black Duck Software in 2014 after using the data found in VulnDB to create a private database. Black Duck subsequently created its own databases to manage and store information about open-source code vulnerabilities, which prompted RBS to revoke Black Duck’s license and sue.
Then in March 2021, Synopsys became a CVE numbering authority, allowing the company to assign unique identifier numbers to vulnerabilities in open-source security software and publish information about what it had found. That prompted Risk Based Security to send Synopsys a cease-and-desist letter since being a CVE numbering authority allegedly involved VulnDB data that Black Duck had obtained unlawfully.
“RBS failed to put forward admissible evidence showing that the 75 alleged trade secrets had independent economic value,”
– U.S. Circuit Judge G. Steven Agee, U.S. Court of Appeals for the 4th Circuit
A month later, Synopsys asked the U.S. District Court for the Eastern District of Virginia to rule that it hadn’t stolen Risk Based Security’s trade secrets. During discovery, Risk Based Security moved to dismiss the case after Synopsys allegedly said its work as a CVE numbering authority would be “the product of its independent research and not based on any vulnerability database at all, let alone VulnDB.”
Synopsys, however, wanted the federal case to proceed. The original complaint Risk Based Security filed in Massachusetts state court in 2018 still hasn’t been resolved. The 75 trade secrets Risk Based Security accused Synopsys of stealing include vulnerability data collected over certain periods of time in certain file locations and compilations and methods of analyzing and documenting identified vulnerabilities.
What the Courts Found
In district court, Risk Based Security attempted to prove that all 75 of its alleged trade secrets derived independent economic value from their secrecy by noting how much Flashpoint paid for the company in 2022 and pointing out that at least 90% of the company’s revenue comes from licensing VulnDB. But the evidence presented didn’t prove the trade secrets had value or that the value derived from the secrecy.
“Neither RBS itself or its private database VulnDB is one of the alleged 75 trade secrets, so evidence about RBS’ or VulnDB’s value cannot substitute for evidence about the 75 alleged trade secrets’ value,” Agee wrote in a 31-page opinion issued June 15. “[That] would defeat the obligation of proving that the alleged trade secrets themselves have independent economic value.”
Risk Based Security’s efforts to dismiss the case were also unsuccessful, since the company’s pledge to not sue Synopsys was limited to that company’s work as a CVE numbering authority. The district court determined that Risk Based Security’s promise “does not sufficiently protect Synopsys’s other commercial conduct,” including the company’s business relationships.
Synopsys wanted courts to determine that it had not violated federal or Virginia law in any capacity, not just as a CVE numbering authority, and wanted a declaration that it “has not copied or misappropriated any of RBS’ purported” trade secrets. Risk Based Security’s 2021 cease-and-desist letter more broadly demands that Synopsys stop using, distributing or modifying Synopsys’ intellectual property.
“The documents RBS issued mid-litigation do not meet Already’s standards because they are partial, conditional and revocable,” Agee wrote. Already refers to a previous case – Already LLC v. Nike, Inc. “Accordingly, we reject RBS’ contention that the case should have been dismissed as moot following RBS’ issuance of the covenant not to sue and its withdrawal of the cease-and-desist letter.”