I manage product security at McAfee, of which Foundstone is a part.  I am not 
aware of releasing such an advisory, and am looking into this.  Could we get 
details regarding where this was found?  Was this posted to a web site?  A 
security mailing list?  And when was it posted?  This may have a very different 
meaning if it was published in 2001 or something like that.  Alternately, 
Foundstone produces a vulnerability management software, was this in a report 
generated by that product?  

As far as I know, we try to never make general sweeping statements about 
products such as those quoted by the poster.  Our statements are typically 
regarding a single vulnerability, and extrapolating to the entire product is 
not in our nature or in our customer's best interests.  We want issues fixed, 
not to argue about which specific platforms are better than other.  
Additionally, we try to never release any vague reports such as the one I'd 
seen.  They are typically combined with additional details that would allow one 
to determine their own risk, and we usually include a CVE number or another 
common vulnerability identifier.  Finally, we follow responsible disclosure, 
and wouldn't issue an advisory without notifying the vendor prior.

I have the appropriate teams trying to track down from an internal standpoint, 
but any help from the community, especially the original poster, would be 
appreciated.  If our statement or product wording is incorrect, we will 
certainly rectify this.

Ryan Permeh
Manager of Product Security
McAfee Security Architecture Group
email: ryan_per...@mcafee.com

Zope maillist  -  Zope@zope.org
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope-dev )

Reply via email to