In general, though, the open-source world, which has to deal with public development models, has largely learned to embrace security researchers.
"If we get a report from the outside, it is up to the one who finds the vulnerability to decide what happens to it," said Roman Drahtmueller, head of security for SuSE Linux, Novell's version of the operating system.
Microsoft, however, would rather work in secrecy with flaw finders to help prepare a fix. With the public spotlight on its security glitches and with hundreds of millions of users relying on its products, the software giant is very systematic in its approach to patching.
"It is best for customers, because we have a chance to provide updates before a large segment of the black hat community gets to make use of the vulnerability," said Microsoft's Kean.
Flaw finders who do not play by the rules don't get credit in Microsoft's security bulletins and are rebuked in press releases, among other sanctions.
"Microsoft is concerned that this new vulnerability in (product is named) was not disclosed responsibly to Microsoft, potentially putting computer users at risk," the software maker has typically written in e-mailed statements about vulnerability disclosures.
Despite the efforts of Microsoft and others, many researchers still don't feel that the companies take their findings seriously. While some security software sellers have lauded Apple for its response to vulnerability discoveries, an independent researcher gave the company a thumb's down.
"It's really been like pulling teeth dealing with them over the years," said the researcher, who asked not to be identified. "I know a lot of folks that have found vulnerabilities in their stuff that pretty much refuse to deal with them."
Even if security researchers play ball with software makers and hold off on making vulnerabilities public, that might only engender a false sense of security, said flaw finder Aitel. He said that a small, but significant, number of malicious programmers could discover such security holes independently and abuse them.
"We don't feel that we are finding things that are unknown to everyone else," he said. "I am not special because I can run a debugger. Others can find -- and use -- these flaws."
4%
4%
