That's a pathetic excuse and not even very accurate to boot. Microsoft is generally notified of issues but especially when it comes from a publically traded (or even private) research/security firm. Microsoft has in the past been very lazy about creating patches thus the move by some to go ahead and publish results.
Next let's look at Apache's record. They have provided a stellar web server that is used by over half the internet and oh did you notice that it's free? ISS has basically showed that it has little respect for peers in the software industry even with reputations such as Apache's. The fact they could admit they didn't "trust" the team shows how petty the can be playing this game.
ISS knows they fucked up and they are trying to spin themselves back into public favor. They are a public company and can not afford to have an embarassing situation like this get out of hand. I for one don't care about what happend so long as it doesn't happen again. Too much is at risk to allow the ego's of a few people to just battle it out. My biggest concern is ISS's lack of regret. They have not apologized to the Apache team and could set a bad precedent when the next security company starts pondering the same move.
Back to the original point, two wrongs don't make a right. So get the fuck off your high horse and get with the program.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/91/13344#13344