The Zero-day Emergency Response Team is an interesting concept. Certainly lots of smart people participating. I am not sure how many have experience with truly large heterogeneous computing environments (say, that of a Fortune 500 company) – one of the biggest reasons why bugfinders and other security consultants don’t "get" the associated problems, in my opinion.
Honestly, I am a bit more ambivalent than I thought I would be about the topic. ZERT certainly is buzzworthy but not really that interesting. Third party temporary patching. The Manifesto is laced with interesting caveats – "to the best of our ability" seems to be the refrain. This approach is probably fine for small and midsize businesses with extra resources.
It is interesting to me that the approach to address 0days is to double patch, which essentially doubles the resource requirement as far as I can tell, and it still doesn’t even solve the problem. There are a lot of other ways to mitigate these risks than patching, and this appears to be the most intrusive. But there are no hard dollar costs and so the option appears attractive, even though it is likely to bring with it a higher TCO than pretty much any other method.
I wouldn’t recommend it, but some small organizations (or those with plain vanilla endpoints) that are highly risk averse yet don’t have budget dollars to buy a more useful solution might want to consider it.
randy abrams (who is involved with zert) had a good take on whether the 3rd party patch was something people should use or not (http://eset.com/threat-center/blog/?p=18)…
basically if you NEEDED vml to work (and therefore couldn’t use the work around that involved unregistering the vgx.dll) then you should try to use the zert patch until the official patch comes out (which it now has), but since most people don’t need or use vml the official work around was a better option for most people…