Man isn't perfect and neither is the software he writes. So when a security consultancy finds a hole or bug in some application, it is quick to announce this to the world, without giving the developer time to fix the problem.

And hackers gleefully use this information for their own gain. But this may soon change if the efforts of an industry group are successful. According to a proposed rule, consultants who find bugs in software will now have to wait at least 30 days before trumpeting this to the world. That would give developers sufficient time to come up with
patches.

The Group which calls itself the Organization for Internet Safety (OIS), comprises eleven software makers and security firms. It recently announced that it intends to devise rules regarding how the security community should responsibly release information on software flaws.

The group's membership includes security companies like @Stake, BindView, Foundstone, Guardent, ISS, NAI, and Symantec, as well as software makers Caldera International, Microsoft, Oracle and SGI.

The OIS says its charter is to make it easier for security researchers and vendors to work together to fix security vulnerabilities.

Through a statement posted on its website (www.oisafety.org/about.html), the OIS says, "Today, there are no agreed-upon processes for handling security vulnerabilities. Every vendor has different expectations about how security researchers should report newly discovered vulnerabilities, the amount and type of information they should provide, and so forth. Likewise, every security researcher has different expectations about how often a vendor should provide status on ongoing investigations, give credit to the finder, and so forth."

The lack of any consensus procedures complicates the process of fixing vulnerabilities, and ultimately increases the risk that all computer users face.

OIS was formed as a unique partnership between leading security researchers and vendors, for the purpose of proposing such processes.