> > No, but I had thought they had advertised themselves as a worthwhile > place to report them, and my perception, and apparently that of many > other people here, is that this is not the case. It depends on your definition of "useful." If it is defined as "gets the bug reports to all the vendors without also disclosing it to any real or potential bad guys in the process; follows up the report to make sure that the vendors are maybe working on it; and then provides a wide-ranging, trusted announcement method to alert people when the fixes are available" then it *is* worthwhile. However, if your definition of worthwhile is "Broadcasts details of the bug to only those people who are on a particular network or subscription list, including bad guys and hacker 'wannabes,' before there is any fix available" then Usenet, 8lgm, Phrack, this list, and other such forums are varying degrees more "worthwhile." There are places in between these two, and other FIRST teams, other groups and individuals (myself included) fall more in the middle. In my opinion, CERT also needs to move closer to the middle from their current position (the other direction would take them towards "never report the bug to anyone"). I still view CERT as worthwhile however, as compared to some of the alternatives. --spaf