Re: DSA 438 - bad server time, bad kernel version or information delayed?

[Florian Weimer <fw@deneb.enyo.de>]

Jan Lühr wrote:

> > CERT/CC is no longer dominant.  Many people now disclose their findings
> > to other coordinators and get paid for that service.  Those who don't
> > believe in money don't support CERT/CC either because CERT/CC is selling
> > the information they collect via the Internet Security Alliance.
> 
> That looks quite chaotic.

It is, and things change again with the introduction of US-CERT.

> Are there (in you opinion) better ways to do so?

In the current marketplace?  Hardly.  For some companies (IDS vendors,
for example) limiting disclosure increases the value of their products
and services.  There are a lot of factors to consider.  It's not even
clear that finding security bugs is a worthwhile activity (see Eric
Rescorla's new USENIX submission).