Kudos to the companies who signed up with Microsoft! If you think about it, it was an excellent business decision...you know, 'business', as in making money. Lots of it.

Anyone of these companies could have decided separately or amongst themselves, without Microsoft, to establish and adhere to a standard for disclosure. After all, each of the companies mentioned is made up of really smart guys. But by signing up with Microsoft, they can offer enhanced services to their customers. Scanner products will be far ahead of the others, across the board. Penetration testing and vulnerability assessment (throw incident response and forensics in there, too) will be second to none. Why? B/c these guys have the latest and greatest information, and also have a document to support their reasons for not disclosing their findings publicly.

Excellent move, really! No one can fault them for making a decision that's going to lead to their making much more money. And that's even if they don't share the vulnerabilities amongst themselves, within their coalition.

What remains to be seen is what other organizations will do. RFP, eEye, NMRC, Xato, etc...what will they do? Other organizations that base their products and services on vulnerability information are going to be at least...what...30 days behind the coalition? And that's assuming that (a) enough information is released to fully describe the vulnerability or if it isn't (b) the licensing agreement for the patch doesn't include a stipulation against reverse engineering it.

And how does NMRC fit into all this? Didn't hellNbak just call for Information Anarchy? And does Simple Nomad agree with his employer on this?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/281/8694#8694