At a recent talk Dan Geer mentioned that CERT no longer keeps archives of vulnerabilities or incidents since 2003. Apparently they thought the data they were getting was not good enough anymore. This is very unfortunate, since it makes tracking trends and correlating them with other data impossible for years after 2003. It’s hard to handle risk if you don’t know what’s happening.

-jsq