ISS outs Trend Micro

IBM / ISS released (partially redacted) security advisories against Trend Micro. I think John Pescatore got it right in this article:

"But in some ways, Pescatore said, X-Force broke an unspoken rule. "They definitely compete with each other," he said, referring to IBM's Internet Security Systems and Trend Micro. "Does the blog post warn users of the danger? That's what the vulnerability advisories are for. Would X-Force do the same thing if it found bugs in IBM's WebSphere? If IBM didn't patch fast enough or the patches didn't work too well, would they be blogging that, 'We've had it with IBM'?"

These kinds of competitive rivalries really bring out the worst in security companies and highlight the house of cards that is vulnerability discovery and disclosure. Perhaps more importantly, you'd think ISS would act differently given its experience with the Witty worm and its somewhat strange circumstances... although they may hold the record for the number of vulnerabilities found in competitor products (hmm, maybe I am confusing cause and effect here).

In any case, I doubt it would pass my litmus test. I really don't understand why the profession facilitates arbitrary target practice. Pescatore cuts to the chase with his IBM point, and I am tempted to challenge for ISS to out IBM sometime soon, except that it would increase risk. In any case, IBM would be a target-rich environment in an arbitrary world.

Comments

the rivalries may bring out the worst but they also serves to keep the vendors more or less honest (with the exception of their marketing departments)... leaping on a competitor's missteps means that they all have to keep on their toes and be careful not to do anything their competitors can capitalize on...

Posted by: kurt wismer | November 14, 2008 at 10:39 AM