Oracle's centralized vulnerability handling group has been working over the past two to three years to ramp up its processes for developing, testing, porting and distributing patches, Harris said.

Cisco officials have said that their response to the vulnerability disclosure at the Black Hat conference was reasonable because they were trying to protect the vendor's intellectual property and prevent the release of information that attackers could use as instructions for targeting routers.

This week, Mike Caudill, Cisco's product security incident manager, said Cisco plans to continue releasing security fixes as they become available instead of making users wait for periodic updates. And it's unlikely that Cisco will start rating the severity of its flaws.

'Our approach is to explain the risk and not say if it's a 'red' or a 'yellow' or a 'green,' ' Caudill said. 'We'll explain the problem and let customers decide' what to do.

Caudill said Cisco has a long tradition of working with security researchers who find vulnerabilities in its products. But, he added, researchers need to be more consistent in the manner in which they disclose flaws to vendors.