Microsoft's new rule for dealing with security flaws
As a reaction to the growing criticism of its procedure for dealing with security flaw discoveries, Microsoft has announced a paradigm switch. "Responsible Disclosure" is dead; long live "Coordinated Vulnerability Disclosure" (CVD).
As before, the focus is on cooperation between security experts and software vendors with the goal of keeping users out of harm's way. Information about a vulnerability is only to be made public once the vendor has developed and published a patch. But Microsoft does not mention the critical point: what happens when the vendor takes months or even more than a year to do so?
On Wednesday, Google's security team announced their new policy of a 60-day grace period within which software vendors are to provide fixes for critical flaws. If no patch is provided by that time, Google's security experts reserve the right to make their knowledge public. Microsoft has not gone along with this idea and makes no mention of such an obligation in its annoucement. The only thing that Microsoft has to say for those waiting is that information about vulnerabilities can be made public even before a vendor has provided a patch if a flaw is demonstrably already being actively exploited. As Microsoft's Katie Moussouri explains in her blog post, the company still wishes to work with proponents of the competing concept of full disclosure.
The idea that a security problem already actively exploited can be discussed in public actually goes without saying. In other words, Microsoft has really only announced a name change. But the software firm also makes it clear that it does not intend to continue to call everyone who does not support Microsoft's interpretation of "responsible disclosure" irresponsible. That's not much, but at least it's an indication that the emotional discussion that had practically come to a standstill has finally got moving again.
- Microsoft vulnerabilities: full disclosure and no disclosure, a report from The H.