I would like to talk with you about responsible disclosure policies (in respect of AV/AT reviews). In particular, I would like to discuss the following thoughts: 1. A reviewer should only be interested in the "well-being" of the AV/AT software users. The reviewer should not worry about the reputation or revenue of an AV/AT software producer (i.e., the reviewer should not put lipstick on the pig). 2. A reviewer should definitely talk about a weakness which has already been disclosed in the VX/trojan scene. For example, if there is already an "advisory" on how to circumvent a particular scanner the reviewer should inform the AV/AT software users about this issue. In other words, the reviewer should not hold things back and should not tell the users that they are safe if they are not safe. The reviewer has to make sure, however, that his/her findings are true before publishing them. 3. If a reviewer identifies a problem which has not already been disclosed in a trojan board or the like the reviewer should inform the AV/AT software producer first provided that such information allows the software producer to fix the problem in a timely manner. The reviewer should also inform the software users if this is possible w/o writing a "hacker tutorial" or the like. (For example, if a reviewer figures out an easy, semi-automatic way to integrate trojans into trusted applications he should write about this possibility but should not disclose the details.) 4. The reviewer should not disclose sensitive information without having a proper reason. For example, if a reviewer invests a lot of time (relying on a trial and error approach) in order to identify the signatures used by a scanner to detect a specific trojan there is no good reason to disclose this particular signature. This is because the disclosure does not demonstrate an important weakness. It simply creates a weakness. Please let me know your thoughts.