The long-running dispute over when to release vulnerability information escalated last month into a bitter turf war among several security companies, all of which claimed to have their customers' best interests at heart. And while it might have started by coincidence, . . .
The long-running dispute over when to release vulnerability information escalated last month into a bitter turf war among several security companies, all of which claimed to have their customers' best interests at heart. And while it might have started by coincidence, this latest dispute illustrates the need for a formal, documented method for reporting security vulnerabilities, according to industry experts.

The flap began June 17 when news of a serious vulnerability in the popular Apache open-source Web server software hit security mailing lists. First to report the flaw was security vendor Internet Security Systems Inc., which released an advisory the day it discovered the problem. The ISS advisory included a piece of code that the company's X-Force research team said would close the security hole. At the time, no formal patch was available.

The Apache Software Foundation, in Forest Hill, Md., which maintains the Apache software, released its own advisory later the same day, which not only criticized ISS for releasing its advisory before a patch was ready but also claimed that Atlanta-based ISS' patch didn't fix the vulnerability.

The link for this article located at eWeek is no longer available.