Since the beginning of July, H.D. Moore, a researcher and the creator of the widely used Metasploit security toolkit, has already exposed several unpatched flaws in Internet Explorer, Firefox, and Apple's Safari.

"The vendors have been notified and the time has come to start publishing the results," Moore said in a blog posting. "This information is being published to create awareness about the types of bugs that plague modern browsers, and to demonstrate the techniques I used to discover them."

Bug Infestation

Inspired by the work of another security researcher, Moore wrote a program that could test and gauge the effect of mangled Web page code on leading Internet browsers. Hundreds of crashes later, Moore discovered several dozen flaws, including 50 in Internet Explorer alone.

While Moore has already begun to release detailed data on flaws he identified in the major Web browsers, he noted in his blog that none of the information published during the Month of Bugs would include specifics that could result in malicious attacks or enable a hacker to run unauthorized code on a remote computer.

Even so, the practice of disclosing such flaws to the general public is widely derided by the software companies, who have traditionally argued that it would be more responsible to alert the companies first so they have time to patch the software before those with malicious intent can develop exploits that take advantage of the flaws.

Andrew Jaquith, a Yankee Group analyst, pointed to feuds that have erupted between security researchers and Oracle, Microsoft , and Apple in the past three months alone.

"There will always be tension between software vendors who make large, complex, and occasionally vulnerable software products, and the researchers who find bugs in them," Jaquith explained. "This will continue, and there will never be a resolution to it."

Safety Officer

Whatever the reason, whether it is to garner attention or to educate users about the perils they face browsing the Internet, Moore's project highlights a major problem with Web browsers, said Avivah Litan, an analyst at Gartner.

"The fact remains that the browsers have too many vulnerabilities and we are all better off if Moore exposes them before the criminals exploit them," Litan said.

Litan also said she believes that the increased attention drawn to browser glitches will result in a safer environment for Web surfers because it will keep the pressure on Microsoft and other browser makers to tighten the security in their software. "Nothing is foolproof," she said. "But we need to keep raising the security bars to keep the bad guys out."

Jaquith offered a different take, saying he thinks Moore's project could give criminals access to data that will make it easier for them to exploit the flaws. The Yankee Group analyst called such full-disclosure tactics the "nuclear option."

Bad guys, Jaquith said, probably look at researchers as "useful idiots" who provide them unwittingly with free raw materials to construct malicious software.

"I don't know what H.D.'s process was -- but it looks like the details are being made public before the vendors can release corresponding patches," he said. "So I'd say, 'No, it's not responsible disclosure.'"