On Mon, Jul 28, 2008 at 4:57 AM, Nathan Ward <nznog@daork.net> wrote:
I'm not sure I understand what benefit a closed list would have in
this sort of scenario, to be honest. I can't imagine that CCIP, or
anyone else, are going to have information about security problems
like this before they are in the wild - there's just too many people
involved globally for closed distribution to be truly closed.

Many people had details about this particular vulnerability well before it was released - including many/most of the vendors involved and the majority of the security organisations like CCIP (who have specifically stated on the list that they knew).

As a vendor, we (IronPort/Cisco) knew about this in late May, but of course were under embargo to keep it quiet until it was officially released.  To the credit of everyone involved across all of the vendors/etc (and it would have no doubt been a small list, but not that small...) it was kept quiet for over 6 weeks until the official release.

No doubt CCIP would have had their hands similarly tied with respect to notification.  That said, once it was released I would hope that what they knew was spread far and wide. I saw the CERT and AusCERT notitications multiple times on various forums, but didn't see anything from CCIP - although that could just be due to the selection of lists that I'm on...

  Scott