Additionally, federal officials said they would use the government's massive purchasing power to force developers to improve the security of their products.
While acknowledging that software makers continue to release buggy products, Richard Schaeffer, deputy director of the National Security Agency, stressed that publicising a vulnerability without warning and before a patch has been created could potentially threaten US computing systems.
"Responsible disclosure means not letting out information that could do harm to critical systems falling into the wrong hands," he said.
Schaeffer's comments echoed those of presidential cybersecurity adviser Richard Clarke, who spoke last week at the Black Hat Security Briefings here. Clarke told attendees that finding vulnerabilities in buggy software is important, but properly handling the disclosure is critical.
As Clarke did, Schaeffer also blasted the software industry for the large number of bugs in their applications. "The quality of the software that we are getting is terrible," he said.
Marcus Sachs, a member of Clarke's 16-person Office of Cyberspace Security, warned that the government will use its chequebook to ensure software makers improve their products.
"We, the federal government, have enormous purchasing power," he said. By demanding more secure software, the government can directly affect the quality of product, he added.
The debate over disclosing vulnerabilities has heated up as software security has become a high priority in government and industry. Security researchers who find vulnerabilities often use the information to embarrass companies and score public relations points for their own firms. Conversely, software makers frequently fail to find or disclose problems in a timely manner.
Early last week, for example, Hewlett-Packard threatened a security researcher with a lawsuit for releasing information about a flaw in Tru64, the company's high-end server software. HP backed off the threat Thursday.
While he didn't support such tactics, Sachs underscored the seriousness of releasing vulnerability information before a patch has been created.
"Microsoft is widely used in the critical infrastructure--more than we thought," Sachs said, stressing that publicised flaws that have not been corrected could damage government systems.
"The time (to deal with this) is now," he said. "We are past the point where we can keep talking about it."
If news about security flaws is not widely disseminated, too many small users will not be aware of either the flaws or their patches. Considering how much major vendors charge for applications, and the lengthy registration details demanded from purchasers, the government would do better by forcing the vendors to adopy plocies of contacting all registered users by at least e-mail about the need to apply patches. It is a lot cheaper for a vendor to mass-mail 100,000 warnings than it is for 100,000 purchasers spend several hours a week searching for news about the latest patches.