Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready.
The shift is a subtle one from Microsoft, which has always been at the heart of the debate over full disclosure of security vulnerabilities. The company has been very vocal in the past about its assertion that all vulnerabilities in its products should be reported privately to the company and the researcher should then give Microsoft some undisclosed amount of time to come up with a fix. The new CVD strategy still doesn’t lay out a timeline for patch releases, but it represents a public change in the way the company is thinking.
The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there.
” Newly discovered vulnerabilities in hardware, software, and services
are disclosed directly to the vendors of the affected product, to a
CERT-CC or other coordinator who will report to the vendor privately, or
to a private service that will likewise report to the vendor privately.
The finder allows the vendor an opportunity to diagnose and offer fully
tested updates, workarounds, or other corrective measures before
detailed vulnerability or exploit information is shared publicly. If
attacks are underway in the wild, earlier public vulnerability details
disclosure can occur with both the finder and vendor working together as
closely as possible to provide consistent messaging and guidance to
customers to protect themselves,” said Matt Thomlinson, general manager of Microsoft’s Trustworthy Computing group.
“CVD does not represent a huge departure from the current definition
of “responsible disclosure,” and we would still view vulnerability
details being released broadly outside these guidelines as putting
customers at unnecessary levels of risk. However, CVD does allow for
more focused coordination on how issues are addressed publicly. CVD’s
core principles are simple: vendors and finders need to work closely
toward a resolution; extensive efforts should be made to make a timely
response; and only in the event of active attacks is public disclosure,
focused on mitigations and workarounds, likely the best course of action
— and even then it should be coordinated as closely as possible.”
The change from Microsoft comes close on the heels of several other major shifts in the landscape recently, including the decisions by both Google and Mozilla to raise their bounties for security bugs to $3,133.7 and $3,000, respectively. Microsoft has steadfastly refused to pay bug bounties in the past, though there are persistent rumors that the company may do so at some point in the near future.
The CVD plan closely resembles other disclosure strategies that have been released over the years, and incorporates some elements of plans that researchers have suggested. The use of trusted third parties, such as the CERT-CC, is something that has been suggested by a number of people in the past, and has the advantage of including a dispassionate organization that can work with both the researcher and the vendor when conflicts arise or if the vendor is unresponsive.
The new CVD policy, in fact, incorporates some of the elements that were laid out in a plan written by the defunct Organization for Internet Safey in 2004, particularly the usage of third parties to help moderate the process.
The key concession in the new CVD strategy is the acknowledgement that there are times when it may be necessary for the researcher to disclose details of a given vulnerability before a patch is ready. This often is done if a vendor is not responsive to the researcher or if the researcher doesn’t think the vendor is making a good faith effort to fix a flaw quickly enough. However, as Microsoft says in its policy, disclosure of flaw details may be necessary in cases where attacks against the vulnerability are already underway in the wild and security staffs need information on the problem to help protect their networks.
Katie Moussouris, a senior security strategist at Microsoft, said in a related blog post that the company needs help from the research community to make this CVD philosophy work.
“Responsible Disclosure should be deprecated in favor of something
focused on getting the job done, which is to improve security and to
protect users and systems. As such, Microsoft is asking researchers to
work with us under Coordinated Vulnerability Disclosure, and added some
coordinated public disclosure possibilities before a vendor-supplied
patch is available when active attacks are underway. It uses the trigger
of attacks in the wild to switch modes, which is an event that is
objectively observable by many independent sources,” she wrote. “Make no mistake about it, CVD is basically founded on the initial
premise of Responsible Disclosure, but with a coordinated public
disclosure strategy if attacks begin in the wild. That said, what’s
critical in the reframing is the heightened role coordination and shared
responsibility play in the nature and accepted practice of
vulnerability disclosure. This is imperative to understand amidst a
changing threat landscape, where we all accept that no longer can one
individual, company or technology solve the online crime challenge.”