definitely compete with each other," he said, referring to IBM's
Internet Security Systems and Trend Micro. "Does the blog post warn
users of the danger? That's what the vulnerability advisories are for.
Would X-Force do the same thing if it found bugs in IBM's WebSphere? If
IBM didn't patch fast enough or the patches didn't work too well, would
they be blogging that, 'We've had it with IBM'?"
These kinds of competitive rivalries really bring out the worst in security companies and highlight the house of cards that is vulnerability discovery and disclosure. Perhaps more importantly, you'd think ISS would act differently given its experience with the Witty worm and its somewhat strange circumstances… although they may hold the record for the number of vulnerabilities found in competitor products (hmm, maybe I am confusing cause and effect here).
In any case, I doubt it would pass my litmus test. I really don't understand why the profession facilitates arbitrary target practice. Pescatore cuts to the chase with his IBM point, and I am tempted to challenge for ISS to out IBM sometime soon, except that it would increase risk. In any case, IBM would be a target-rich environment in an arbitrary world.