I attended the ISP Security BoF this evening and listened to Juniper and Cisco defend their positions of determining who gets notifications first. Decent talk. Folks did defend the "you need to reach us" to get the patch method, but some of it was "me too" I'd like to suggest to the Program Committee that a talk related to just this be solicited at the next NANOG and include all of the vendors who want to participate. They did concur that the current system is broken. This is part of the reason I decided to post this. To let everyone know that this is a problem and the vendors agree. I *was disappointed in was the harsh criticism of DHS. The vendors called DHS and the Pentagon the biggest source of leaks related to 'their' security vulnerabilities. I don't know if that's true, but if they are, I hope they're leaking to the right people. Thanks to Juniper and Cisco for holding the talk. -M< -- Martin Hannigan (c) 617-388-2663 VeriSign, Inc. (w) 703-948-7018 Network Engineer IV Operations & Infrastructure hannigan@verisign.com