I think it has been well established that CERT's goal isn't to help you improve your security. They regard that as too dangerous a proposition. If they can secretly pass the word to participating vendors, they've achieved their goals. And if all the participating vendors should decide to fix the hole, why terrific. That's why we don't bother reporting to CERT anymore: let 'em learn about bugs by reading bugtraq or comp.security.unix, like the rest of us do. If they don't care to help us improve our security, we'll be glad to return the favour. -Bennett bet@sbi.com