I'm confused. I get the TLD server operators part. But you're saying that you'd only give OS vendors access to this information. How long does it take, say, Sun, to issue a patch update? Wouldn't it be much more efficient, and useful, to issue the information directly to the people using the software? How many people actually use the default vendor binaries anyways?
Just about every very large company that I've ever worked with. Also, having spent numerous years working the NAVSEA and other Pentagon systems, you are explicitly not permitted to install anything other than a vendor-provided patch.
My god, are there really this many idiots out there that don't grasp how the world works?
Good. Reduce yourself to insults and don't even answer the [first] question.
You're right about the insult, but the point remains -- it doesn't matter how long Sun takes. He isn't changing how the security information gets to the world, he's providing Sun a support channel for assistance integrating the security fix. In my experience (being a paying Sun support contract customer) I've gotten security fixes from Sun in a time range from 2-6 hours. 6 hours was the longest time that I've experienced from handing them a security flaw they didn't know about until I had a valid patch in my hands. On a closed circuit channel for security updates. -- Joe Rhett Chief Technology Officer JRhett@ISite.Net ISite Services, Inc. PGP keys and contact information: http://www.noc.isite.net/Staff/