The Internet Engineering Task Force (IETF) yesterday rejected a proposal submitted by leading security experts on standard procedures for the reporting and fixing of security vulnerabilities.

The internet watchdog said the paper, originally submitted at the end of last month, was "inappropriate".

The Responsible Disclosure Process internet draft was written by two well known industry figures: Steve Christey, lead infosec engineer at defence company Mitre; and Chris Wysopal, director of research and development for @stake.

It was designed to settle the differences between the full disclosure and limited disclosure camps. But the IETF, as a technical standards body, rejected the proposal on the grounds that human procedure is not its jurisdiction.

Security watchers have long argued that the current method of security bug reporting is disparate and chaotic at best, and often results in vulnerability details being released before patches.

Christey and Wysopal's proposal suggests the creation of security co-ordinators to work with bug reporters and vendors as central points of contact to ensure proper communication and testing of reported bugs.

The proposal also pushes for vendors to acknowledge bug reports within seven days, and provide updates and status reports until an issue is resolved.

Although the proposal has suffered a setback at the first hurdle, the pair said they would try to resubmit it to an alternative body.