A late-night panel discussion between US government officials, security experts, and attendees of last week's Black Hat Security Briefings in Las Vegas contained plenty of tension. After listening all day to the government's official line about how software security holes should be reported, the audience quickly poked holes in the strategy and expressed frustration at how specific vendors, including Microsoft, respond to new vulnerabilities. Here's the government's plan: If security researchers discover a vulnerability in a software program, they should first contact the software vendor. If the vendor does not respond, researchers should inform the CERT coordination center. If CERT does not respond, they should alert the government's National Infrastructure Protection Center (NIPC). The panel, entitled "Vulnerability Disclosures: What the Feds Think," was moderated by Michael I. Morgenstern of Global Intersec LLC. He is also co-author of a paper on responsible vulnerability reporting. Panelists included Richard George, a National Security Agency mathematician; Scott Culp of Microsoft; Marcus Sachs from the White House; Dave Farrell of SRI International; and Tom Parker of Global Intersec UK. After agreeing that irresponsible reporting of software bugs leads to more Internet worms and Web attacks, the panelists were challenged with questions from the audience for more than two hours. One questioner asked about a secret agreement between several vendors not to disclose any new vulnerabilities in Microsoft software, except to Microsoft. Microsoft's Scott Culp denied that any such agreement exists. Continuing his defense of Microsoft's security practices, Culp said that people often think they are reporting a vulnerability when they aren't. "They send the details to some random address at Microsoft or don't even bother with that." He said if anyone sends him a vulnerability, he'll personally look into it. Microsoft has also established a new procedure for reporting vulnerabilities on its Web site (click here for details). Culp emphasized that if anyone who discovers a software flaw wants credit for that discovery, he or she should go to directly to CERT. One attendee mentioned that some vendors refuse to acknowledge provable vulnerabilities. Some software bugs -- such as those with which no legitimate security exploits have been associated -- are not worth reporting. "We don't want to waste a system administrator's time testing and plugging every little thing," he said. When another audience member asked why software manufacturers can't be held criminally liable for their products, but Ford and Firestone can, the White House's Marcus Sachs speculated, "The court isn't going to get involved until someone gets killed."