In a report to be released on Tuesday, researchers have found that hackers and online criminals are moving at a much quicker pace that the security community can not keep up at times. 

The AP previewed the report and highlighted two key finds in a report filed on Monday.

From the AP (via Yahoo News):

The first is that online criminals have latched on in a big way to programs that help them automatically generate attacks based on publicly available information about vulnerabilities. In the past they apparently spent more time finding such holes themselves, but no longer find that as necessary.

“The bad guys are not the ones actively finding vulnerabilities — they’ve shifted their business to standing on the shoulders of the security research community,” Kris Lamb,operations manager for X-Force, said in an interview. “They don’t have to do the hard work anymore. Their job is packaging what’s been provided to them.”

The second trend is that the debate among security researchers is intensifying over how much information should be released to the public when a new software flaw is discovered.

Most times the researcher will wait until the affected company has released a software patch before revealing details. But sometimes researchers will release not only details of the vulnerability but also so-called “proof-of-concept” exploit code to show the flaw is legitimate.

That runs the risk of providing criminals a framework for building their attacks, and saves them valuable time in doing so. Lamb said this finding “begs the question” of what the security industry’s standard practice should be.