Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Puts Its Coordinated Vulnerability Disclosure Into Action

Back in July 2010 at the Black Hat conference in Las Vegas, Microsoft announced that it would move to a new vulnerability disclosure process called “Coordinated Vulnerability Disclosure” — a reframing of responsible disclosure — in response to the ongoing debate between responsible disclosure (where a bug is disclosed only to the software vendor who then fixes it) and full disclosure (where the bug is publicly disclosed).

Back in July 2010 at the Black Hat conference in Las Vegas, Microsoft announced that it would move to a new vulnerability disclosure process called “Coordinated Vulnerability Disclosure” — a reframing of responsible disclosure — in response to the ongoing debate between responsible disclosure (where a bug is disclosed only to the software vendor who then fixes it) and full disclosure (where the bug is publicly disclosed).

Today, Microsoft provided more transparency and insight into that disclosure process, announcing three updates to its disclosure practices – a CVD at Microsoft document, MSVR Advisories, and its internal corporate disclosure of vulnerabilities policy that establishes protocols for Microsoft employees to follow when a vulnerability is discovered in a third party product or service.

According to Microsoft, the intent was to focus on how coordination and collaboration are required to resolve security issues in a way that minimizes risk and disruption for customers. The company says that overall, feedback from the broader security community has been generally supportive.

But how will Microsoft make this program a success and how will it really impact the security community?

Marc Maiffret, CTO of eEye Digital Security and a well-respected vulnerability researcher, shared some thoughts on the announcement. He believes that while Microsoft should be commended for taking a proactive role, he believes they are missing the larger picture. He suggests that Microsoft and other technology companies should look to solve the two larger problems of why vulnerability researchers have abandoned working with vendors. According to Maiffret, these problems are:

1.) Vulnerability research is not easy and researchers are not fairly compensated. Until this is addressed zero day vulnerabilities will continue to frequently be sold to the highest bidder.

2.) Vendors not setting timelines on when vulnerabilities will be patched is extremely frustrating to researchers. There needs to be a best practices timeline that gives vendors adequate time to provide a patch but after which researchers can publish results without being vilified.

Maiffret agrees that Microsoft’s latest initiatives will help its customers, but not as much as if they compensated researchers and set a measurable time period for producing a patch. “There is no comparison to the exponential benefit Microsoft would have on product security by bridging the gap that has been created with the research community. The community will always be stronger than any in-house Microsoft efforts at vulnerability research and that right now equates to more zeroday being found in the wild,” Maiffret said.

Advertisement. Scroll to continue reading.

In comparison, Google announced a program back in November 2010 that rewards those able to demonstrate security vulnerabilities across its Web properties. The rewards range from a base reward of $500 for basic low-risk vulnerabilities, to $3,133 if the rewards panel finds a particular bug to be severe or unusually clever. It’s important to note that Google’s program says that vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability, typically don’t qualify.

Matt Thomlinson,  General Manager, Trustworthy Computing Security at Microsoft is encouraging others to adopt the same philosophy as Microsoft. “After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem,” Thomlinson wrote in a blog post. “By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed. We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone,” he added.

The vulnerability disclosure debate will continue to be heated, and Microsoft fully acknowledges that not everyone may agree with its philosophy on vulnerability disclosure. Katie Moussouris, a Senior Security Strategist with Microsoft wrote in a blog post: “We understand that there are differing approaches to vulnerability disclosure. Even if finders do not share our disclosure philosophy, we appreciate any information finders are willing to share with us. Our hope is that finders will give us the opportunity to address the issue comprehensively with a fully tested update before releasing technical details publicly. We hope our transparency with our disclosure process encourages more finders to work with us who may not have otherwise.”

For more information on Microsoft’s Coordinated Vulnerability Disclosure, the following resources may be of interest. I’ve also included a short video that Microsoft provided that outlines the Coordinated Disclosure Process.

Related Column: Lessons from the Trenches on Implementing a Secure Development Lifecycle

Related Column: Implementing a Secure Development Lifecycle: The Importance of Executive Support

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure Reloaded (Blog Post)

Coordinated Vulnerability Disclosure: From Philosophy to Practice (Blog Post)

Coordinated Vulnerability Disclosure (CVD) at Microsoft (Word Document)

Microsoft Vulnerability Research Advisories

 

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.