Gene Spafford writes: >1) I have not seen them make any security patch announcements to any >of the established security-related newsgroups or mailing lists. I have. For example: Newsgroups: comp.security.unix,comp.sys.hp.hpux From: bkelley@cup.hp.com (Bob Kelley) Subject: HEWLETT-PACKARD SECURITY BULLETING: #00007 Message-Id: <Cotx6G.Fns@cup.hp.com> Date: Mon, 25 Apr 1994 19:08:40 GMT >2) HP does not have a member or liason in FIRST, nor have they had >any presence at any of the incident response workshops. Considering CERT's amazing lack of contribution to improving security, I consider this a sign of HP's good faith. Some folks want to see security bugs fixed, not lovingly preserved for the amusement of future generations. -Bennett bet@sbi.com