There are two cases where security companies go out and "dis" other security companies:
1) The company is a young upstart looking to make a name for itself; and
2) The company is old and decrepit and trying to prove they "still got it."
ISS has been on a kick lately, finding bugs in Trend Micro and Symantec software. Guess which type they are.
I hope all the enterprises out there understand that ISS is hurting you. Not only are they spending their time in ego-matches, but the opportunity cost is huge. They could be creating new products and conducting original research into stopping those "zero days" we all worry about.
In addition, they are placing their (perceived) ability to make a short-term buck over your ability to protect your enterprise.
Of course, it isn’t just ISS that does this. In fact, ISS was a victim last year from eEye in a similar case (Witty worm).
Bad news all around.
I believe that ISS is actually trying to change their business model from software creation to vulnerability assessment. X-Code always was doing this and since the market for IDS and IPS devices and software isn’t as hot as it used to be ISS is somewhat at a loss.
Why should they create new software products? If they don’t want to any more, they’re of course free to seek other venues.
Having said that, I do have to agree with your initial assessment. ISS reeks of a slow death.
Dont you think its actually good for the customers who are using those products. That a competitor is finding faults pushes companies to plug these holes/whatever faster. And often, reliability on a single product is a dangerous issues in security. This kind of finding bugs might be a kind of peer review of others products, benefitting the end user most, who might not have the time nor the expertise to look so deep.
Latent vulnerabilities are abundant, it is only when they get “discovered” and notify the world that the vultures start circling.
In a very specific sense, it is extremely worthwhile to perform QA and patch those applications that are important to you.
In this very general sense, this only forces everyone to focus on this particular application rather than the ones that are of most importance to the enterprise.
So the answer to your question is no, I don’t believe that unconstrained public vulnerability discovery simply to patch the holes (or gain market advantage) does anyone any good, and the costs are astronomical.
Regarding peer review and security companies playing together well… I talk to security vendors all the time. There is no love lost among them. I don’t believe they are doing this altruistically.