[Full-Disclosure] openssl exploit code (e-secure-it owned)

[Andrew Thomas]

Hi,

A few comments I believe are in order.

Firstly, Erik has a point with regards to securing your own boxes. If
they're not secured tightly, why should a company trust information
proporting to come from you?

Secondly, I had a look at the business proposition that Arjen's group is now
following. I though it was a valuable service and I still believe it is a
valuable service.

Time=money, and perhaps you might be willing to take on an admin job that
requires +-8 hours a day, plus spend an additional 2-3 hours a day keeping
up with mailing lists in your own time, but not all are.

Or maybe you'd be willing to pay for another admin to work half-day to keep
up with the lists. Again, I wouldn't. I'd rather split the costs with
several other companies and keep my admin up to date with information
relevant to our internal architecture. I don't want to pay for my staff to
spend hours a day staying current with vulnerability information on
AIX/HPUX/Linux, when we're running a FreeBSD/Solaris shop.

Or what am I missing here?

Regards,
  Andrew