I've read through just about every single post regarding ISS and the Apache bug, their advisory release, their defense, and the response of others throughout the community regarding this issue. I am not embarassed to say that I do not agree with ISS's defense. From an ethical standpoint, I would interpret their handling of the release to be wrong and a direct contradiction to some of the basic principles and standards under which IT professionals conduct themselves. This incident had a negative impact on many people (including the Apache develpment team) along with those of us who are responsible for Apache systems. In the five years, I've been working with Linux, I don't recall another incident being handled so poorly. There are a lot of talented people working with open-source including the end-users who use these products and I find it rather "dark" to single them out by saying, "virtual organizations [??] do not have an ability to enforce strict confidentiality." There is little to be gained by such a statement. -- Patrick "Opinions expressed are only mine."