The ZERT Evolution

In January during the WMF fiasco, I wrote The Power of Open Source. What we're now reading in Zero-Day Response Team Launches with Emergency IE Patch is the latest evolution of this idea. The Zeroday Emergency Response Team isn't a bunch of amateurs. These are some of the highest skilled security researchers and practitioners in the public arena. They are stepping up to meet a need not fulfilled by vendors, namely rapid response to security problems.

Why is this the case? Customers running closed operating systems and applications are stuck. They can't fix problems themselves, so they rely on their vendor. In fact, they are paying their vendor to perform the fixing service. To fund development of an alternative fix would be like paying for a fix twice.

ZERT is demonstrating that this model is broken. They are trying to respond as fast as possible to attacks. Because no one can be "ahead of the threat," reaction time is often key. ZERT can act faster than the vendor because ZERT operates in a freer environment:

Please keep in mind while the group performs extensive testing of any patches before releasing them, it is impossible for us to test our patches with each possible system configuration and in each usage scenario. We validate patches to the best of our ability, noting the environments in which the tests were performed and the test results.

So what shall it be? Wait and be owned, or turn to a third party? Perhaps we'll see a more rapid release of a use-at-your-own-risk patch from vendors, followed by a tested-for-stability patch. It's tough to believe that people without access to source code are developing fixes faster that the creators of software!