Thanks, Mark, for an interesting posting about CERT. Let me add just one or two comments about the place. That CERT should be interested in software engineering is a very good sign. What do you think causes most security holes? It *isn't* lack of cryptography, for the most part, though this last big incident is an obvious exception. The answer, of course, is bugs in the code -- and to that, software engineering is the only answer from computer science as a whole. (Bob Morris Sr's keynote address at the last UNIX Security Conference was entitled ``if your software is full of bugs, what does that say about its security?'') As for the database stuff -- from what the folks at CERT have told me (and yes, I know some of them quite well), they're having a problem managing the tremendous volume of bug reports, incident reports, etc. They need to do their own tool-building. Finally, there are some folks at CERT who are *extremely* sharp. I don't know who you talked to, but there are people there I'd hire in an instant if they were available.