However, the longer-term picture is not as clear, with officials remaining tight-lipped over whether a review of existing legislation is likely to encompass the area.
Several US individuals and companies that have publicly disclosed security flaws in software have been threatened with legal action under the Digital Millennium Copyright Act.
"That's a legal move that is not being mirrored here yet," Zaid Alsaji, associate director of IT security and assurance at CMG IT Services told ZDNet Australia.
Sarah Chidgey, senior legal officer at the Criminal Law Branch of the Attorney-General's Department, said the government was currently reviewing telecommunications offences with a view to addressing technological developments. The online publication of web site vulnerabilities is one aspect that could be considered, but Chidgey declined to comment on what the review actually covered.
Alsaji claims that third-party security companies play an important role in improving software security.
"Our experience is that improvements in the security of products have largely come about from people finding vulnerabilities and reporting them to developers," he said. "Clearly the checks the software developers are putting in place are not catching all the problems."
Alsaji said it was important that people report vulnerabilities in a responsible manner, because once a particular vulnerability is published the number of attacks against it mushrooms. Nevertheless, it is important to publish so that people can guard against the attacks.
"It's not a question of whether you should or shouldn't publish on the web, it's a question of when," said Alsaji. "It should be disclosed after a suitable fix has been developed. It's quite malicious for someone to publish on the net and not provide some way to get a solution."
Due to the threat of legal consequences, some security companies in America are reconsidering reporting flaws in software. Hewlett-Packard recently threatened litigation against security company Secure Network Operations after one of its employees publicly disclosed a vulnerability and how to exploit it. Another consultant with the security company, Kevin Finisterre, said he'll now think twice before voluntarily informing another company of any security holes he finds.
Even the White House has weighed in on the controversy. While acknowledging the need for third-party discovery of flaws, President Bush's cyber security team believes that more stringent ethics need to be the rule, rather than the exception.
"We are reaching a crossroad where decisions have to be made as to which way people are going to go: Are they going to continue to function as a security consultant or go to the dark side?" said Howard Schmidt, vice chairman of the White House's Critical Infrastructure Protection Board.
In Australia, the Cybercrimes Act 2001 makes it an offence to cause the unauthorised modification of computer data with the intent to impair the functionality of the data or access to it. This offence attracts a maximum penalty of 10 years imprisonment.
The possession or supply of data or programs with the intent of committing a serious computer offence, or assisting someone else do that, carries a maximum penalty of three years under the act.
"These offences do not apply to a person who publishes information identifying website vulnerabilities," according to Chidgey. "The 'unauthorised impairment of data' offence applies only to the actual impairment of data and does not cover the publication of information about software flaws."
"The 'supply of data' offence only applies where a person actually supplies software tools with the intention that they be used to impair computer data or electronic communications. It does not apply to the provision of information relating to software vulnerabilities," she said. However, publishing material that urges the commission of a computer offence with the intent that the offence be committed would fall under the Act, according to Chidgey.
