Paul A Vixie writes: >Generally what happens is: > > a bad guy finds a hole > lots of bad guys use the hole > ... I agree with your timeline. Unfortunately, I'm not interested in it after step 2. When lots of people are exploiting a hole, I want the details of that hole made widely available --- I want several orders of magnitude more people able to work on fixes and workarounds. Happily, many other people seem to agree; I'm optimistic that the typical time between bug discovery and widespread bug fixing may drop from years to months. Maybe even, with work, to weeks. Once lots of people are exploiting the bug, I think keeping it out of system administrators' hands changes from well-intentioned foolishness to seriously irresponsible, destructive behavior. This, as best I recall, is why the bugtraq list was started. -Bennett bet@sbi.com