In recent years, software companies have hammered out rules with researchers on disclosure, which cover how and when vulnerabilities are made public. Now flaw finders want something in return: more information from software providers on what they are doing to tackle the holes the researchers have reported. "We have gone from the old "full disclosure" to "responsible disclosure" debate, to a debate over "The vendor has the information--what does it do with it?"" said Steven Lipner, senior director for security engineering strategy at Microsoft.
Software vendors need to establish protocols for interacting with researchers who share bug information, experts said. If they don"t, they could risk losing the progress that has been made towards responsible disclosure of flaws. Many bug hunters now understand and follow the "responsible disclosure" guidelines advocated by software companies. Under this approach, a researcher who uncovers a flaw will, as a first step, contact the maker of the affected software and share details of the vulnerability.