Security select XI tackles reporting standards

Microsoft lines up alongside Oracle up front...

A new group, consisting of eleven software makers and security firms, has formed to set down rules regarding how the security community should responsibly release information on software flaws. Oracle and Microsoft are among the members of the group, called the Organisation for Internet Safety, which hopes to bridge the gap between security firms and independent consultants who release information about flaws to grab media attention and the software companies that frequently find themselves with egg on their face over the holes in their applications. On its site, (see http://www.oisafety.org for more),the group says: "Today, there are no agreed-upon processes for handling security vulnerabilities. The lack of any consensus procedures complicates the process of fixing vulnerabilities, and ultimately increases the risk that all computer users face." The group stressed that any guidelines it creates will be just that no enforcement mechanism will be advocated. Members of the group are security companies @Stake, BindView, Foundstone, Guardent, ISS, NAI, and Symantec as well as software makers Caldera, Microsoft, Oracle and SGI.