News headlines for security vendors and their customers have been pretty rotten of late. The RSA brand's reputation is particularly muddy since it announced hackers had penetrated RSA servers and stole information related to the company's SecurID two-factor authentication products.There's also the recent, sad saga of HBGary and more than one headline about Kaspersky Lab being targeted over the last couple years.The latest piece of bad news concerns McAfee and comes by way of my colleague over at Network World, Julie Bort. She writes:The McAfee.com website is full of security mistakes that could lead to cross-site scripting and other attacks, researchers said in a post on the Full Disclosure site on Monday. The holes with the site were found by the YGN Ethical Hacker Group, and reported to McAfee on Feb. 10, YGN says, before they were publicly disclosed to the security\/hacking mailing list.In addition to cross-site scripting, YGN discovered numerous information disclosure holes with the site including seeing an internal hostname and finding 18 source code disclosures. The portion of the site that could be used for XC scripting attack hosts some of McAfee's files for downloading software, YGN says on its Full Disclosure post.This isn't just embarrassing, but also somewhat discrediting for McAfee, which markets a McAfee Secure service to enterprises for their customer-facing websites. McAfee Secure scans a website daily for "thousands of hacker vulnerabilities," the company advertises. If the site is found to "be certified" to McAfee's "high standard of security," then users of McAfee anti-malware products see a "McAfee Secure" label in their browsers. McAfee Secure claims to test for personal information access, links to dangerous sites, phishing, and other embedded malicious dangers that a website might unknowingly be hosting.