Security group issues compromise plan for vulnerability reporting
The Organization for Internet Safety has released a guide for reporting and responding to software security vulnerabilities, hoping to bring some order to the continual struggle between code makers and code breakers. The voluntary guidelines, available on the OIS Website at www.oisafety.org, are an effort to balance the public’s right to know about possible problems against the need for vendors to correct those problems before they are made public. They call for:
*cooperation between the discoverer of a flaw and the software vendor
*a waiting period, typically 30 days, to let a vendor to correct a problem before it is publicly announced
*a 30-day grace period to let users to fix their systems before technical details that could help attackers are released.