Internet Security Systems, which has been criticized for publicly releasing information about security problems in software before giving application developers time to deal with holes, has issued a revised set of guidelines for how it will handle security warnings. . .
Internet Security Systems, which has been criticized for publicly releasing information about security problems in software before giving application developers time to deal with holes, has issued a revised set of guidelines for how it will handle security warnings.

The Atlanta-based ISS posted the guidelines on its Web site Monday, along with a statement from Chris Rouland, director of the company's X-Force group of security experts, whose aim is to determine online threats and issue information about them. Security researchers need to have standards that take into account the public's need to know about vulnerabilities but also "give ample consideration to software vendors working to remedy issues in their products," the statement said.

The guidelines, posted as a six-page document, include four phases: discovery, vendor notification, customer notification, and public disclosure. The guidelines are the same for all vendors, so developers of open-source software and proprietary developers receive equal treatment.

The link for this article located at PCWorld is no longer available.