Microsoft Seeking Smoother Bug Disclosure

Microsoft on Tuesday provided key details of  a “Coordinated Vulnerability Disclosure” (CVD) program it announced in July and that's aimed at bolstering collaboration between Microsoft, its customers and the security community. 

The Redmond, Washington software giant released three updates that provide key details of the program, including a Word Document that clarifes Microsoft’s vulnerability disclosure policy for independent and salaried security researchers. The company also published a list of Microsoft Vulnerability Research Advisories, which details privately reported, third-party vulnerabilities that have been remediated. Finally, it released to the public an internal disclosure of vulnerabilities policy that maps the proper procedures for Microsoft employees to follow when a bug is discovered in a third party product or service.

Kate Moussouris, a senior strategist at MSRC and occasional Threatpost contributor, authored a blog on TechNet that describes the general philosophy behind the CVD program. One of Microsoft’s core security beliefs is that security needs to be built into software from the development phase forward. However, the company understands that certain holes will be overlooked, and in these cases, Moussouris says, it’s best if disclosures are handled in such a way that risks don’t become greater.

“[Microsoft’s] hope,” Moussouris writes of potential bug disclosers, “is that finders will give us the opportunity to address the issue comprehensively with a fully tested update before releasing technical details publicly. We hope our transparency with our disclosure process encourages more finders to work with us who may not have otherwise.”

The company's policies governing the disclosure of security vulnerabilities in its products have been under scrutiny for years. Tensions were heightened in 2010, after Google researcher Tavis Ormandy published the details of a critical security hole in the Microsoft Help Center after growing impatient with negotiations with the company over issuing a patch for the hole. After that information was published, Microsoft issued a patch, but not before castigating Ormandy for what it considered irresponsible disclosure of the hole.  In July, 2010, the company announced a new policy of "coordinated vulnerability disclosure," replacing a more perjorative sounding "responsible vulnerability disclosure" policy. According to the new policy, researchers and vendors work together to verify a vulnerability and allow ample time for a patch, but allow for the release of details of the flaw before a patch is ready if the hole is being exploited actively.

Commenting on this Article is closed.