It seems pretty clear if you don't pay, you receive exactly the same
advisories you receive now. No more, no less, no sooner, no later.
CERT has always told a few other groups about vulnerabilities prior to
their public release of advisories (vendors, some affected parties, etc).
If anything, ISC's comments seem directed at CERT's procedures. Instead
of trying to pass the information back and forth through CERT, ISC is
adding a direct mechanism for the same groups to communicate. It doesn't
affect any of the other existing communication channels.
CERT issues a public alert about a vulnerability on its schedule. BUGTRAQ
users continue to post exploits when and how they choose. And as always,
the source code for all ISC released versions of BIND are available, so you
can find all the flaws yourself.
I will, and have, flogged Paul for doing stuff; but I'm afraid I don't
understand the uproar about this one.
I suspect there is another way to get yourself on the "list." Find and fix
some significant bugs in BIND.