A group of 11 security companies and software developers, known as the Organisation for Internet Safety (OIS), have released the first version of a consensus document governing the reporting and release of security vulnerability information.
The OIS, a voluntary group of 11 high-profile suppliers formed last September, released Version 1.0 of its Guidelines for Security Vulnerability Reporting and Response.
The 25-page document is the result of a year-long effort to standardise how security researchers and software suppliers work together to find, fix and release information to the public on software vulnerabilities.
The existing industry model of full disclosure has been a contentious and often politically charged issue.
It divided the security community into two camps, one consisting mainly of independent researchers, who feel that suppliers are only out to protect themselves and their customers, and the other of suppliers, which feel that researchers do not always adhere to the accepted practice of first notifying a supplier before making vulnerability and exploit data public.
"The environment has changed during the past seven to 10 years," said Chris Wysopal, director of research and development at @stake and co-author of the infamous Windows password-cracking program, L0phtCrack.
"[In the past], suppliers weren't communicating with anybody who wasn't a big customer. And they had no process at all."
The OIS guidelines are an effort to create a process acceptable to both researcher and vendor, one that keeps the security interests of users at the forefront, said Scott Blake, vice-president of information security at BindView.
"The process relies on good faith by both parties, and users' interests are the primary consideration."
Dan Verton writes for Computerworld