One Man's Opinion
"When we believe users are going to be misled, presumably for reasons of self promotion, we make every effort to nicely ask that the organization publish full and accurate information. When the issue continues unresolved, we regret we have to ask more forcefully. All Secunia needs to do is publish the facts in full without leaving out important facts and Autonomy, Secunia and our users will be well served."
O'Really?
Well, here's the facts as I understand them:
1. Secunia discovered a security vulnerability in Autonomy.
2. Secunia learned that at least one customer of Autonomy may not have patched their Autonomy-based code to close the security hole.
3. Secunia attempted to engage Autonomy to determine if the hole was, indeed, fixed and if third-party customers such as IBM had or would soon release the patch(es).
4. Secunia published the "results so far" with, as always, an eye to preventing data breaches (anyone remember TJX?).
5. Autonomy ignored the attempt to engage and immediately fell into
"disaster spin control" mode.
6. Autonomy also threatened litigation if Secunia performed it's ethical duty to inform consumers of a possible security problem; this some 3 days *after* the information had been published.
So, short version: Autonomy would strongly prefer that consumers who rely on their security product(s) suffer data breaches in ignorance, rather than ensure that all products built with their SDK are properly patched and secured.
Can anyone guess why I think lawyers are (as a rule) lower on the evolutionary and ethical scales than the Ebola virus?