This means Juniper doesn't get as many bugs in the public eye (ow) as Cisco does. Then again, it means any bug that gets discovered has a bigger potential to turn into news. That happened in 2005, although, admittedly, that was a humdinger of a bug. (See Security Bugs Bite Juniper, Cisco.) And it came up late last week, when The Register made a little story out of a BGP flaw that had to be corrected in Junos.
Juniper officials have the right to apply whatever security policy they want. I'd normally side with the open-source crowd and say disclosure is the better option -- but the logic that holds with Windows might falter, given customers' limited access to the innards of Junos or Cisco's IOS.
That's going to change, of course. Juniper is opening Junos in a very limited fashion, targeting new applications rather than tweaks and bug fixes. (See Juniper Opens Up to Apps Developers.) Cisco might be doing the same with IOS, as officials at the recent analyst day mentioned they're working on putting third-party hooks in there.
Still, I wouldn't expect either company to rewrite its policies. Juniper might become more forthcoming about bugs, but only to its customers and developers, not to the press. Cisco doesn't disclose every bug right away, as I recall, and that probably wouldn't change either.
Amusing side note: Juniper gets a lot of publicity off of a certain other company's bug-disclosure policy. About once a month, there's a Juniper press release with the title, "Juniper Networks Protects Customers from New Microsoft Vulnerabilities Disclosed Today." Because they come so often -- and with identical headlines -- we stopped bothering to add them to our news wire feed. (If you're dying to see one, try Juniper Claims Microsoft Protections or Juniper Safe Against Microsoft Bugs.)
— Craig Matsumoto, West Coast Editor, Light Reading