My company makes a product ("UniGate") which among other things is an SNMP
agent. When CERT's recent SNMP advisory came out
(http://www.cert.org/advisories/CA-2002-03.html), we reacted I think like
any other responsible vendor should. I grabbed the various test suites
available and threw them against undefended internal test boxes while the
engineering staff consulted the source code. It took us two full days to
get a handle on things, but by February 14th we had an advisory statement
for our customers. I mailed CERT a copy (you can see the text of the
message
here: http://www.stdnet.com/support/?category_number=3&subcategory_number=1 )
On its major advisories CERT advertises a "Vendor Information" section with
"details from vendors who have provided feedback for this advisory." I
see the online doc has been updated several times a day since the advisory
came out (18 times since I sent my first email), but after 4 emails and 2
phone calls I'm still waiting for anything other than an automated response.
Has anyone else (particularly vendors) ever had problems getting CERT to
post stuff, or even acknowledge your presence? Is there an invisible
"pay-to-play" thing going on here which has escaped my notice? Am I
talking to the wrong people? Anyone? Buehler?
TIA, Jonathan Lampe, GCIA, GSNA, etc.
P.S. Here's where I sent copies of the letter (give it another shot every
2 days or so...):
cert@cert.org SUBJ: VU#617947
cert@cert.org SUBJ: CA-2002-03 Feedback VU#617947
cert@cert.org SUBJ: Yet Another Vendor entry for CA-2002-03
Number Called:
412-268-7090 (Feb 15 and Feb 18)
(On a Friday phone calls, the guy ack'ed receipt of at least one of the
email messages - said "call back on Monday".)
