The members of the group, which first discussed the issues nearly a year ago, hope to bridge the gap between security firms and independent consultants who release information about flaws to grab media attention and the software companies that frequently find themselves with egg on their face over the holes in their applications.
"Today, there are no agreed-upon processes for handling security vulnerabilities," the group said in a statement on its Web site. "The lack of any consensus procedures complicates the process of fixing vulnerabilities, and ultimately increases the risk that all computer users face."
The group stressed that any guidelines that it creates will be just that; no enforcement mechanism will be advocated.
Earlier this year, members of the nascent group supported an official set of draft disclosure guidelines that were submitted to the Internet's technical body, the Internet Engineering Task Force, only to be turned down as being outside the IETF's purview.
The draft guidelines were intended to make peace between the two sides of the security debate: the software companies that want to quietly fix their flawed applications without suffering embarrassment and the security researcher who would rather trumpet the slipups for their own aggrandisement.
The proposed rules suggested that companies respond to security researchers within a week of being notified of a potential flaw and that researchers give software companies at least 30 days to fix the flaw before making information about it public.
That it took a year to organise the group speaks to the difficulty in getting the two sides of the vulnerability equation to see eye to eye.
An incident in June caused a great deal of tension as well. Security firm Internet Security Systems, a member of the OIS, released information about a flaw in the most popular Web server on the Internet, Apache, after only giving a few hours notice to the software's developer group. While the OIS's own guidelines calls for a 30-day period, ISS claimed that the vulnerability was already being used by hackers in the underground and thus needed to be released.
Even so, employees of the group's other members criticised the premature disclosure.
Causing further trouble, according to an employee of another group member who asked not to be identified, is the group's 20-page legal membership agreement.
Members of the group are security companies @Stake, BindView, Foundstone, Guardent, ISS, NAI, and Symantec as well as software makers Caldera International, Microsoft, Oracle and SGI.
Aggrandisement?
"the software companies that want to quietly fix their flawed applications without suffering embarrassment and the security researcher who would rather trumpet the slipups for their own aggrandisement. "
OK, come on. The argument is far more about the argument between those who believe that users (and yes, company reputations) are better protected by partial or full disclosure only after the vendor has released a fix, and those who believe that prompt disclosure is the best way to protect users so that they can work around the problem before any fix comes out, and so that the vendor has no excuse to take forever to release a patch.
Both arguments have a lot of merit, and a middle ground is probably the best choice. I do take issuse with your characterization of the debate, though - I'd consider that misleading at best, though there _is_ an element of what you described involved in the issue.