Synopsys Wins Trade Secrets Case: Court Rules No Infringement of RBS’s Data

In a crucial verdict that sets a precedent for future tech trade secret lawsuits, the U.S. Court of Appeals for the 4th Circuit has ruled that Synopsys, a Silicon Valley-based firm, did not infringe upon the trade secrets of Risk Based Security (RBS). RBS, which is based in Richmond, Virginia, could not establish that the alleged secrets provided independent economic value from their concealed nature.

This ruling upholds the earlier decision made by the U.S. District Court for the Eastern District of Virginia. The court observed that RBS lacked compelling evidence to demonstrate that the 75 supposed trade secrets had intrinsic financial value. U.S. Circuit Judge G. Steven Agee authored the court’s ruling, confirming that without concrete evidence of these trade secrets’ economic value, RBS’s claim for misappropriation of trade secrets could not succeed.

The dispute originally involved Black Duck Security, which Synopsys acquired in 2017 for $547 million. Black Duck was once licensed to use data from RBS’s vulnerability database, VulnDB. However, tensions arose when Black Duck established its own databases to handle information about open-source code vulnerabilities, leading RBS to revoke the license and file a lawsuit.

Things escalated in 2021 when Synopsys became a CVE numbering authority, which allowed the firm to assign unique identifiers to vulnerabilities in open-source security software. RBS claimed this status involved VulnDB data unlawfully obtained by Black Duck and sent a cease-and-desist letter to Synopsys.

While RBS attempted to prove the economic value of its 75 supposed trade secrets by highlighting the acquisition cost paid by Flashpoint and the significant revenue generated from VulnDB licenses, the court held that neither the value of RBS itself nor that of VulnDB could serve as evidence for the alleged trade secrets’ value.

RBS’s attempt to dismiss the case was also rebuffed as the court found RBS’s pledge not to sue Synopsys only covered Synopsys’s work as a CVE numbering authority. This did not offer sufficient protection for Synopsys’s other business conduct, including its relationships with other businesses. The court maintained that RBS’s cease-and-desist letter from 2021, which called for broader cessation of Synopsys’s use, distribution, or modification of RBS’s intellectual property, still had relevance.

This ruling, while specific to the case at hand, offers important implications for the technology industry, setting a precedent on what constitutes trade secrets, their economic value, and the protections around them.

Leave a Reply