Imposing a Time Buffer for Security Flaws

By Deane Barker on July 30, 2003

Is speaking freely about flaws a risk?: Here’s a plan to give software companies lead time before disclosing the existence of a software security flaw.

“The group hopes that researchers will give software companies at least 30 days to come up with a patch for a problem before going public with a flaw. Scott Culp, security program manager for Microsoft and an OIS member, stressed that more time does not mean the companies won’t take security seriously.”

How do they plan to enforce this? Just who do they consider “researchers”?