Re: Preferential notice of new versions

[Sean Donelan <sean () donelan com>]

On Sat, 03 February 2001, Adam Rothschild wrote:
> On Sat, Feb 03, 2001 at 10:00:51PM -0800, Joe Rhett wrote:
> > Sure they do! Try reading the website once or twice. Then you can
> > take your foot out of your mouth.
>
> I did.  Seems pretty clear that, unless you're a TLD server operator
> or large and respected OS vendor, they don't want to provide you with
> early advisories, paid or otherwise.

It seems pretty clear if you don't pay, you receive exactly the same
advisories you receive now.  No more, no less, no sooner, no later.

CERT has always told a few other groups about vulnerabilities prior to
their public release of advisories (vendors, some affected parties, etc).
If anything, ISC's comments seem directed at CERT's procedures. Instead
of trying to pass the information back and forth through CERT, ISC is
adding a direct mechanism for the same groups to communicate.  It doesn't
affect any of the other existing communication channels.

CERT issues a public alert about a vulnerability on its schedule.  BUGTRAQ
users continue to post exploits when and how they choose.  And as always,
the source code for all ISC released versions of BIND are available, so you
can find all the flaws yourself.

I will, and have, flogged Paul for doing stuff; but I'm afraid I don't
understand the uproar about this one.


I suspect there is another way to get yourself on the "list."  Find and fix
some significant bugs in BIND.