Jan Lühr wrote: > > CERT/CC is no longer dominant. Many people now disclose their findings > > to other coordinators and get paid for that service. Those who don't > > believe in money don't support CERT/CC either because CERT/CC is selling > > the information they collect via the Internet Security Alliance. > > That looks quite chaotic.
It is, and things change again with the introduction of US-CERT. > Are there (in you opinion) better ways to do so? In the current marketplace? Hardly. For some companies (IDS vendors, for example) limiting disclosure increases the value of their products and services. There are a lot of factors to consider. It's not even clear that finding security bugs is a worthwhile activity (see Eric Rescorla's new USENIX submission).