On Sat, 03 February 2001, Adam Rothschild wrote:
On Sat, Feb 03, 2001 at 10:00:51PM -0800, Joe Rhett wrote:
Sure they do! Try reading the website once or twice. Then you can take your foot out of your mouth.
I did. Seems pretty clear that, unless you're a TLD server operator or large and respected OS vendor, they don't want to provide you with early advisories, paid or otherwise.
It seems pretty clear if you don't pay, you receive exactly the same advisories you receive now. No more, no less, no sooner, no later. CERT has always told a few other groups about vulnerabilities prior to their public release of advisories (vendors, some affected parties, etc). If anything, ISC's comments seem directed at CERT's procedures. Instead of trying to pass the information back and forth through CERT, ISC is adding a direct mechanism for the same groups to communicate. It doesn't affect any of the other existing communication channels. CERT issues a public alert about a vulnerability on its schedule. BUGTRAQ users continue to post exploits when and how they choose. And as always, the source code for all ISC released versions of BIND are available, so you can find all the flaws yourself. I will, and have, flogged Paul for doing stuff; but I'm afraid I don't understand the uproar about this one. I suspect there is another way to get yourself on the "list." Find and fix some significant bugs in BIND.