The aim is to balance the users' right to know whether their software is flawed against the possibility that publicising vulnerabilities may encourage hackers.
The new group, the Organisation for Internet Safety (OIS) will work to develop a system that will set standards for the way security vulnerabilities are disclosed.
Generally, security companies and independent security researchers who discover software bugs inform the vendor of the discovery and allow the company some time to develop a patch for the flaw before releasing the information publicly.
However, this is not always the case, and security vulnerabilities have been declared publicly before the vendor concerned has had a chance to examine the bug, or determine its importance.
"We're trying to give some guidelines for what constitutes professional behaviour," said Scott Blake, chairman of the communications committee for OIS and vice-president of information security for Bindview, one of the group's members.
Other organisations backing the move include, Microsoft, Network Associates, Oracle, Silicon Graphics, Symantec, @stake, Caldera International and Internet Security Systems.
An advisory board of network security managers is being set up to help the OIS understand the needs and concerns of IT departments when reporting security vulnerabilities. Drafts of potential standards will be circulated in early 2003, the organisation said. Each member organisation will have an equal vote in proposed standards, Blake said.
A final set of standards will not appear for some time, however, but there will be opportunities for public comment on the proposals, Blake said.