On 3 Feb 2001, Paul Vixie wrote:
patrick@cybernothing.org (Patrick Greenwell) writes:
hiding it DOES however make it harder for people (including network owners) to do surveys.
By the same token one might argue that atempting to hide vunerabilities to those paying you for "early warnings" doesn't help at all.
Wrt the bind-members forum being discussed to death elsewhere, nobody can pay for early warnings. CERT will still be the source of early earnings. What people can pay for (bind-members participation) is the legal fees associated with NDA-level access to early fixes, if and only if they provide part of the internet's basic infrastructure (e.g., OS vendors and TLD server operators).
The category "OS vendors" gets a little fishy... Do Linus Torvalds and Alan Cox get on the list if they sign the NDA? How about Patrick Volkerding? Someone like Microsoft or Sun obviously qualifies, but with respect to Open Source OSes, fact is *everyone* is an OS vendor at some level. This is my main objection to the proposed private list: That it assumes everything is done from a couple centralized sources, such as companies like Microsoft or Sun. This is decidedly not true.
Just something to consider.
I promise that ISC considered everything which was relevant, which your claim above is emphatically not. (Thanks for the FUD though.)
Now I wonder if my thoughts are relevant. Matthew Devney