Microsoft on Tuesday provided key details of a “Coordinated Vulnerability Disclosure”
(CVD) program it announced in July and that’s aimed at bolstering
collaboration between Microsoft, its customers and the security
community.
The Redmond, Washington software giant released three updates that provide key details of the program, including a Word Document
that clarifes Microsoft’s vulnerability disclosure policy for
independent and salaried security researchers. The company also
published a list of Microsoft Vulnerability Research Advisories,
which details privately reported, third-party vulnerabilities that have
been remediated. Finally, it released to the public an internal
disclosure of vulnerabilities policy that maps the proper procedures for
Microsoft employees to follow when a bug is discovered in a third party
product or service.
Kate Moussouris, a senior strategist at MSRC and occasional Threatpost contributor, authored a blog on TechNet that
describes the general philosophy behind the CVD program. One of
Microsoft’s core security beliefs is that security needs to be built
into software from the development phase forward. However, the company
understands that certain holes will be overlooked, and in these cases,
Moussouris says, it’s best if disclosures are handled in such a way that
risks don’t become greater.
“[Microsoft’s] hope,” Moussouris
writes of potential bug disclosers, “is that finders will give us the
opportunity to address the issue comprehensively with a fully tested
update before releasing technical details publicly. We hope our
transparency with our disclosure process encourages more finders to work
with us who may not have otherwise.”
The company’s policies
governing the disclosure of security vulnerabilities in its products
have been under scrutiny for years. Tensions were heightened in 2010,
after Google researcher Tavis Ormandy published the details of a critical security hole in the Microsoft Help Center
after growing impatient with negotiations with the company over issuing
a patch for the hole. After that information was published, Microsoft issued a patch, but not before castigating Ormandy for what it considered irresponsible disclosure of the hole. In July, 2010, the company announced a new policy of “coordinated vulnerability disclosure,” replacing a more perjorative sounding “responsible vulnerability disclosure” policy. According to the new policy,
researchers and vendors work together to
verify a vulnerability and allow ample time for a patch, but allow for
the release of details of the flaw before a patch is ready if the hole
is being exploited actively.