Some vendors have gone to great lengths to prevent security researchers from disclosing details about certain vulnerabilities. Last July, Cisco won a court injunction preventing a researcher from publicly discussing a hack of its router software. The company even compelled the organizers of the Black Hat USA conference to destroy CDs and rip out more than 30 pages containing slides about the vulnerability from the conference proceedings. Last March, Sybase Inc. temporarily threatened to sue Litchfield's firm if it published details on eight security flaws in Sybase's database software.

Cisco and Sun don't follow a regular schedule for releasing patches and instead roll them out as fixes for flaws become available, which makes the patching process less predictable for users, analysts said. In addition, Cisco doesn't rate its flaws, leaving it up to IT administrators to decide how serious a vulnerability may be.

'Of all the vendors we deal with, Microsoft is one of the best in terms of the processes they have in place' for addressing security threats, Sutton said. That includes having formal procedures for vulnerability discovery and assessment, patch development, testing and automated distribution, as well as a predictable patching cycle, he said.

Cooperative effort

Microsoft has also shown a growing willingness to work with security researchers who discover flaws, according to users and analysts.