Because so much of the industry was not ready to provide protection against client-side attacks when the criteria was written, testing against relevant client-side vulnerabilities is optional.  Successfully meeting this elective module may be in the best interest of developers and enterprise end users alike.  Providing coverage for the vulnerabilities in the client-side module helps differentiate one certified product from another.  Plus enterprise end users often expect not just server-side but also client-side protection when they purchase a network IPS.  ICSA Labs recommends that enterprise end users ask whether or not their network IPS provider or potential provider has been tested against this important, elective vulnerability test set.