Software Flaws: To Tell or Not to Tell? / Open Source in the US Government

In October, GreyMagic, an Israeli Web application company, warned the public of security flaws that could make Internet Explorer vulnerable to malicious hacking. While the warning itself was of some interest, even more fascinating was the software giant's response. Microsoft publicly chided the firm for divulging the bugs' existence before Microsoft could fix them. For its part, GreyMagic told the media that its past efforts to notify Microsoft before a public disclosure had yielded no meaningful results. This is not the only recent incident in which Microsoft has tussled over the issue of disclosure. Last year the Finnish firm Oy Online Solutions spotted an Internet Explorer bug and talked with Microsoft about the problem. Oy Online agreed to give the software giant time to fix the big but eventually went public anyway, saying Microsoft was endangering users' data by failing to produce a timely patch. These incidents spotlight an issue that has long simmered in the software world. When should software bugs be made public? Should software makers get a chance to fix these problems before the general public is informed? If so, how much time should they have? Are standards needed to govern this arena?.