CERT To Charge For 'Timely Alerts'

thrillbert writes: "There is a story at c|net about how CERT is going to start charging anywhere from $2,500 to $70,000 for security alerts (depending on the size of the organization). They claim that subscribers are going to receive the alerts up to 45 days before anyone else does. However, from personal experience, I know that CERT is usually 60 days behind in releasing their 'alerts'. I have seen postings in BugTraq at least 2 months before I ever got a CERT advisory. And in the advisories I have received, I have never seen CERT giving credit to the bug hunters who found the vulnerability. I wonder if they are planning on compensating the bug hunters whose advisories they recycle." And as mr.nicholas puts it, pointing to an AP story, "Looks like a Federally funded services is trying to go private."

Re:And why on Earth not?

[DunbarTheInept]

Why Not? Because CERT aren't the ones finding the bugs. Individuals are sending them bug reports to publish, knowing that they are doing a service by dissemating that information. Once CERT starts charging, their volunteer army will dry up very fast.

Besides that, they are federally funded. Either leave it public, or stop spending my tax money on it if it wants to run itself like a private business.

Re:And why on Earth not?

[Col.+Klink+(retired)]

> why on Earth can't these people charge for a timely and useful service

Well, the first question is whether or not they *pay* for the information in the first case. As they don't even credit their sources, it's questionable whether the bug hunters are gonna get a cut of this money.

The second reason is that CERT is federally funded. CERT was founded to provide security alerts to the government, and the government has (and continues) to pay them. Since I've paid my taxes, I've already paid them for this information.

Re:And why on Earth not?

[osorronophris]

CERT is federally funded. At least *part* of the idea was to provide a timely list of security problems to anyone at *no cost*.