You keep suggesting you're more comfortable hearing that your software might have a flat tire from someone you know rather than someone you don't. At the same time, there are valid security reasons not to broadcast out immediately about your software's problems to the world. Fortify--or any other firm or individual for that matter--puts their reputation on the line when they make claims like the ones in the Fortify study. So far, there doesn't seem to be a lot of rebutting of those claims specifically. (I hate bringing up Microsoft again, but that's how they started out, not bothering to even rebut claims until mass-calamity IT security events related to holes exploited by attackers in their software made ignoring advice from outsiders impossible). Based on what Fortify appears to know about the 11 software packages it examined, it would probably be pretty easy for them to devise exploit code--in which case, their reputation would be pretty much shot if they made it available!). Anyway, there are several firms that have security software with capabilities like that of Fortify's. (In fact, Ingres uses one and we'll mention it in the upcoming story). Nobody's saying this is a simple matter to deal with.