The Rise of Patch Vigilantism: Page 2
We can shake our fists at software product vendors and say things like, You guys have got to take software security more seriously until were blue in the screen, but human nature says that were still going to have to fix things that are broken from time to time.
Accepting this fact, whats the value proposition to a group like ZERT? Do they help keep the software product vendors honest by forcing them to react quicker? Or, do they take a bit of pressure off of them by providing stopgap patches in the interim while the product vendors can seriously and rigorously test their patches prior to release?
It would be great to hear some candid user reviews of the ZERT patches and how they were applied in production data facilities. It would be refreshing to hear from even one large enterprise that is willing to stand up and say that they installed the latest ZERT patch and found it to be a useful service.
In the meantime, Ill look at each ZERT patch on a case-by-case basis and decide which is worse for me and my company, the problem or the interim solution and continue to hope that the product vendor can respond quickly enough for my purposes. And any ZERT patch would have to be the last possible choice, to include shutting off a service or feature until a vendor patch can arrive. Either way, though, kudos to the ZERT crew for their valiant attempts to do good things for the community.