We can shake our fists at software product vendors and say things like, “You guys have got to take software security more seriously” until we’re blue in the screen, but human nature says that we’re still going to have to fix things that are broken from time to time.

Accepting this fact, what’s the value proposition to a group like ZERT? Do they help keep the software product vendors “honest” by forcing them to react quicker? Or, do they take a bit of pressure off of them by providing stopgap patches in the interim while the product vendors can seriously and rigorously test their patches prior to release?

It would be great to hear some candid user reviews of the ZERT patches and how they were applied in production data facilities. It would be refreshing to hear from even one large enterprise that is willing to stand up and say that they installed the latest ZERT patch and found it to be a useful service.

In reality, though, I doubt that we’ll hear much of that kind of user story. Only time is likely to answer those questions in any sort of meaningful way. The optimist in me wants to believe the latter, but the pessimist in me thinks that’s not likely to be the case.

In the meantime, I’ll look at each ZERT patch on a case-by-case basis and decide which is worse for me and my company, the problem or the interim solution – and continue to hope that the product vendor can respond quickly enough for my purposes. And any ZERT patch would have to be the last possible choice, to include shutting off a service or feature until a vendor patch can arrive. Either way, though, kudos to the ZERT crew for their valiant attempts to do good things for the community.