Internet software flaws will be made public within 45 days of discovery, under a policy initiated by an Internet-monitoring group.

The move, by Carnegie Mellon University's CERT Coordination Centre, is good for users, said network manager, Josh Turiel: "I believe in full disclosure of security problems. Forty-five days is sufficient time for a vendor to fix a flaw. If it’s not done by then, users should know."

Until now, CERT has only publicized "major security flaws". Now, it will issue more frequent "vulnerability reports" on valid reported security problems.

Vendors CERT will pass on relevant information about security problems to the vendor, but the information will be released to the public up to 45 days later, even if the problem remains.

Some security experts question the wisdom of releasing specific information about security issues, fearing abuse by hackers.

Security researcher Marcus Ranum said the full-disclosure approach isn't improving computer security. Instead, Ranum said, it's only encouraging more attacks by providing would-be hackers with information on how to exploit vulnerabilities in systems.

Security His argument is challenged by security professional Ryan Russell, a manager at, a security portal that posted 575 vulnerability reports in 1999.

Russell contends that giving users as much detailed information about vulnerabilities as quickly as possible helps companies take appropriate action to mitigate risks and protect themselves from attacks.

Turiel said: "I would rather run the risk of having someone exploit a vulnerability I know about, than have them exploit something I don't know about."