OIS claims that currently there are no “widely accepted” industry best practices for reporting and managing security vulnerabilities. The group believes that this makes it extremely difficult for both researchers and vendors to resolve security issues and protect internet users and “critical infrastructures.”
OIS said in a statement that it is “actively working to develop guidelines for handling vulnerability information that will be useful for security researchers and technology vendors alike,” and expects to release drafts of the standards in early 2003.
The organisation held its first formal meeting at the RSA Conference in California, in February 2002. Its founding members include Microsoft, @stake, BindView, Caldera International, Foundstone, Guardent, Internet Security Systems, Network Associates , Oracle SGI and Symantec.
More information is available at the OIS web site