Internet Security Systems Inc. on Monday released to the public the vulnerability disclosure guidelines that its internal X-Force research team uses in identifying flaws and notifying vendors and the public. The guidelines are fairly standard and include a provision that is becoming more and more common among security vendors that also do vulnerability research.. . .
Internet Security Systems Inc. on Monday released to the public the vulnerability disclosure guidelines that its internal X-Force research team uses in identifying flaws and notifying vendors and the public. The guidelines are fairly standard and include a provision that is becoming more and more common among security vendors that also do vulnerability research.

The clause informs vendors that ISS customers who subscribe to the company's X-Force Threat Analysis Service will be told about any new vulnerabilities one business day after ISS notifies the affected vendor. Customers will also get information on any countermeasures that may be available.

Other security vendors have similar policies, under which their paying customers receive early warning of newly discovered flaws. Many vendors also add a check for the vulnerability to their commercial products before the vulnerability's existence is public knowledge.

The link for this article located at eWeek is no longer available.