However, one independent programmer who was behind identifying several high-profile security holes, said he had doubts that the initial proposal for the industry group will address the core problem behind malicious attacks on software.
"I'm not sure if any hard and fast guidelines are particularly useful," said Marc Slemko, a Seattle-based developer, adding that a 30-day grace period could backfire and take pressure off software makers to fix problems quickly and accurately.
"Some don't have a user's best interest in mind," he said.
Earlier this month, Slemko published technical findings of an exploit he discovered in Microsoft's Passport authentication service three days after he made Microsoft aware of the problem and two days after it was fixed. Slemko has a history of airing security flaws including one in September that he said left Verizon Wireless Inc. vulnerable to exploits.
"It certainly is true that there are certain individuals that go about releasing security holes in ways that are not designed in the best interest of the companies or the users of that software," Slemko said. "While I don't see any obligation to consider these guidelines seriously, there are some societal responsibilities to the users of the products."
Guardent's Schwartz stressed that the proposals from the new group will also force the software makers to act more responsibly.
"They're going to be under more pressure because they're going to have reporting requirements to follow," Schwartz said.
Microsoft agreed during the conference that it must be more responsible to ensure security in its products, he said.
"Obviously, Microsoft has some interest in this -- their customers are getting beaten up," he said.
Inquiries about the new working group can be directed to Guardent in Waltham, Massachusetts, at +1-781-577-6500, or online at http://www.guardent.com/. Microsoft Corp. in Redmond, Washington, can be reached at +1-425-882-8080, or online at http://www.microsoft.com/.