Several times each week, the Internet Storm Center is requested to broker between parties who have found vulnerabilities, and the corresponding vendors of the software or services affected. While we're always happy to assist, the reason for our involvement has much less to do with animosity between both parties than with the availability of either one of them.

Many accidental finders of a security problem bump into issues when trying to report it to the vendor of the software or service. The last thing someone reporting an issue wishes to do is to spend twenty minutes logging a support case, only to be halted when they are requested for a serial number. There are situations in which a non-direct client may have become aware of a security issue in your product. Even in that case, you *really* want to know.

If you're a software vendor or services company, please take some time today to ensure you have security contacts listed on your public portals. It's always a good idea to ensure these details are known to organizations such as CERT, oCERT, the Storm Center and public resources such as the open vendor database at OSVDB. Nothing beats making it clearly visible on your site, where it's trivial for everyone to find.

Cheers,
Maarten