"Generally, the industry bands together and prefers not to speak poorly about others," said Andrew Storms, director of security operations at security vendor nCircle Network Security Inc. "Although what gets said in sales meetings when you are working for the PO isn't always so full of rainbows."
"It is kind of unusual," said John Pescatore, analyst and research fellow with Gartner. "It's definitely the norm these days that security firms find vulnerabilities in each other's products, and X-Force has been one of the leaders in the last three or four years. And it looks like they followed responsible disclosure, gave Trend plenty of warning."
But in some ways, Pescatore said, X-Force broke an unspoken rule. "They definitely compete with each other," he said, referring to IBM's Internet Security Systems and Trend Micro. "Does the blog post warn users of the danger? That's what the vulnerability advisories are for. Would X-Force do the same thing if it found bugs in IBM's WebSphere? If IBM didn't patch fast enough or the patches didn't work too well, would they be blogging that, 'We've had it with IBM'?"
A spokeswoman for Trend Micro, meanwhile, responded to a call for comment by saying "Trend Micro has already issued security patches for ServerProtect," and ticking off a pair of updates issued in March and May of this year. She declined to answer any additional questions about X-Force's allegations, however.
In Pescatore's eyes, X-Force went too far. "If Microsoft was to find bugs in Linux and publicize them, we'd all be negative about Microsoft," he said. "Come on, take the high road."
