> From spaf@cs.purdue.edu Wed Apr 27 11:52:25 1994 > Just a comment on: > > CERT reacts far too slowly to reported holes. I'd much rather > > shut down some functionality on my system to wait for a patch than > > leave systems wide open while waiting for a report to come from > > CERT. > > If you are using a commercial system like UnixWare, then what the heck > is wrong with your vendor that they aren't responding quickly? CERT > passes vulnerabilities on to vendors. When vendors inform them of a > patch, CERT publishes it. But it is the *vendors* that are slow in > the process. CERT doesn't fix things. > > If you are going to direct criticism, direct it where it > belongs -- at vendors (and at customers who blindly buy the crap some > vendors put out). I'd agree with you EXCEPT I wasn't suggesting CERT should "fix the bugs faster" as you imply. I'm complaining that they get a report of a hole, pass it on to the vendors, and that's it. As I said above, I'd much rather shut down some functionality on my system and wait for a patch then leave my systems wide open. This is not a criticism of CERT per se, but just the systems we have in place in general. If CERT doesn't want this task of sending out advisories that look like, "There's a problem in rdist, shut it down completely until a patch is available or else..." than someone else should. CERT does do some great incident coordination--my interactions with them (through CIAC) have been great. However, I just wish their roll would be expanded a little more. -Mike