I've had several people tell me that HP has gotten better recently. I would have mentioned them as good examples, except: 1) I have not seen them make any security patch announcements to any of the established security-related newsgroups or mailing lists. 2) HP does not have a member or liason in FIRST, nor have they had any presence at any of the incident response workshops. 3) I have read accounts of HP customers not being able to get security patches because they aren't paying for maintenance. #3 may no longer be true; in any event, I have no direct experience with it so I can't say it was ever more than a misunderstanding. --spaf