Cloud-security startup Orca Security launched its Transparency in Cyber initiative in the latest chapter of its ongoing battle against Palo Alto Networks. It calls out cybersecurity vendors that the group says “restrict transparency” by not allowing customer to post negative product reviews, among other things.

There’s 26 security providers on the group’s scorecard that have these types of restrictions. And yes, Palo Alto Networks is one of them. Others include CrowdStrike, AT&T Cybersecurity, Juniper Networks, Trend Micro, McAfee, and VMware Carbon Black.

On the flip side, the group, whose co-founders include BeyondTrust, Lucidum, and IT Central Station, also lists a “Transparency Honor Roll,” with about 120 vendors that it surveyed and that have no end-user license agreement (EULA) restrictions about what customers can publish and communicate about their products. Cisco, Fortinet, F5 Networks, Qualys, and Symantec are some of the companies that made the honor roll.

In an interview with SDxCentral, Orca Security CEO Avi Shua said the transparency initiative stems from a legal dispute with Palo Alto Networks.

About a year ago, Orca launched a video series called “Cloud Security Punch-Out” that compared its product to competing software from CheckPoint, Qualys, Rapid7, Tenable, and Palo Alto Networks.

“I’m a big believer that in cybersecurity and in general B2B software you need to show, not only talk,” Shua said. “So this is the approach that we took, and we were surprised to get a cease and desist letter from Palo Alto stating that their EULA prevents anyone from publishing any evaluation of their product without their permission.”

Instead of ceasing and desisting, Orca published Palo Alto Networks’ letter along with one of his own that urges transparency in security.

“It’s outrageous that the world’s largest cybersecurity vendor (its products being used by over 65,000 organizations according to its website), believes that its users aren’t entitled to share any benchmark or performance comparison of its products,” Shua wrote. “According to its boilerplate contract terms that prohibit ‘disclosing, publishing, or otherwise making publicly available any benchmark, performance, or comparison tests’ of its products, you’re in violation even if you publish the results of an internal comparison of Palo Alto Networks against other products as part of your procurement process.”

Shua says he was surprised at the response his letter received. “I got many interesting notes from people in the ecosystem stating that there are many other companies that may not be as aggressive, but they don’t allow the users to publish their views or any benchmarks, either,” he said.

So Orca set about surveying more than 200 EULAs from both public and private security vendors. And they were “shocked” to find that 42% of the vendors have some type of clause that restricts users from publishing reviews or performance benchmarks without the firm’s approval. “We believe this is something the industry should not accept,” Shu said. “So we took this and we started this initiative as a call out to vendors to remove such anti-competitive clauses. And for the ecosystem to demand that from vendors.”

They also found that among the companies that restrict disclosures in their EULAs, 27 actively promote positive reviews of their products and flattering leaderboard in their own marketing materials and on platforms including Gartner Peer Insights.

“Imagine that you want to go buy a car, and car manufacturers banned you from publishing reviews unless they were positive,” said Andy Ellis, advisory CISO at Orca Security and an operating partner at YL Ventures. “Not every car is the same. Maybe you’re in the market for an electric vehicle, so you don't care about the Nissan Titan reviews, but you don’t want to buy a small, sub-compact car when you thought you were buying a pickup truck.”

However, this flying (driving?) blind scenario is akin to what happens when you buy security software today, he added. “You buy technology, and all you have to go on is what the vendor claims it does until you’re knee-deep in the solution, because the practitioners who used it before you aren’t allowed to tell you this solution is great at this problem, but not so good at solving this other problem.”

SDxCentral reached out to several vendors that Transparency in Cyber says restrict disclosures in their EULAs. Palo Alto Networks, declined to comment. So did CrowdStrike, AT&T Cybersecurity, Cybereason, and MobileIron.

VMware, which now owns Carbon Black, and Juniper Networks did not respond to multiple requests.

Extreme Networks and Trend Micro did respond, and both said that while they regularly evaluate their EULAs, they don’t have any immediate plans to change them.

“We are generally supportive of actions that increase cybersecurity,” said Extreme Networks CIO John Abel in an email to SDxCentral. “At Extreme, we view cybersecurity as everyone’s job. Today, we work very closely with customers and partners to identify and remediate any perceived or actual vulnerabilities that may exist within our offerings. We share appropriate information with our customers/partners and cooperate and comply with legal requirements.”

Meanwhile, a Trend Micro spokesperson said the vendor “agrees that the cybersecurity community deserves transparency and a free flow of information to evaluate products. We commend Orca Security for their effort to create more transparency across the sector.”

The spokesperson added that earned third-party testing it vital to a competitive landscape. To this end, Trend Micro says it makes its products available for analysis and allows customer trials prior to purchase. “We’ve written about our stance on this before: every parent thinks their baby is the most beautiful, so no buyer should rely on a vendor’s own testing no matter how well documented,” the spokesperson said. “And third-party tests must be independent — not a test-for-hire.”

Trend Micro is evaluating its EULA restrictions, the spokesperson said. “Most leading security providers currently use restrictive language to limit the proliferation of biased or misleading product comparisons and reviews by competitors and their various marketing ecosystem partners, and do not generally enforce them against legitimate customers or truly independent reviewers,” the spokesperson added. “Trend Micro regularly reviews its policies and procedures and will monitor its customers’ evolving preferences with respect to this issue.”