Several weeks ago, the communications trade press revealed that Cisco Systems Inc. had taken unprecedented measures to keep certain security flaws involving buffer overflows from being discussed at a Black Hat Conference in Las Vegas. While Cisco has reasons to disapprove of detailed code deficiencies being discussed prior to private attempts at patches, Cisco employees reportedly went so far as to snatch conference handouts away from attendees. One would think a networking OEM would learn from IT professionals that threats of retaliation don't deter hackers from revealing problems.
We applaud our competitors Network World and eWeek for strong editorials warning Cisco about playing such a heavy hand. But when eWeek asked Cisco chief development officer Charlie Giancarlo about the incident, Giancarlo talked about "standard practice," insisting that it was Cisco's business to set standard policies for dealing with unofficial disclosures of vulnerabilities.
Sorry, Charlie, but even if a company is looking for consistencies in the way it does business, it is not the business of the company to determine responses to customer complaints. It is up to customers to provide feedback on those responses, and up to the company to adjust its policies accordingly. Anything less would represent a one-way dictatorial approach to doing business.
-Loring Wirbel (firstname.lastname@example.org), communications editorial director for EE Times