Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Puts Its Coordinated Vulnerability Disclosure Into Action

Back in July 2010 at the Black Hat conference in Las Vegas, Microsoft announced that it would move to a new vulnerability disclosure process called “Coordinated Vulnerability Disclosure” — a reframing of responsible disclosure — in response to the ongoing debate between responsible disclosure (where a bug is disclosed only to the software vendor who then fixes it) and full disclosure (where the bug is publicly disclosed).

Back in July 2010 at the Black Hat conference in Las Vegas, Microsoft announced that it would move to a new vulnerability disclosure process called “Coordinated Vulnerability Disclosure” — a reframing of responsible disclosure — in response to the ongoing debate between responsible disclosure (where a bug is disclosed only to the software vendor who then fixes it) and full disclosure (where the bug is publicly disclosed).

Today, Microsoft provided more transparency and insight into that disclosure process, announcing three updates to its disclosure practices – a CVD at Microsoft document, MSVR Advisories, and its internal corporate disclosure of vulnerabilities policy that establishes protocols for Microsoft employees to follow when a vulnerability is discovered in a third party product or service.

According to Microsoft, the intent was to focus on how coordination and collaboration are required to resolve security issues in a way that minimizes risk and disruption for customers. The company says that overall, feedback from the broader security community has been generally supportive.

But how will Microsoft make this program a success and how will it really impact the security community?

Marc Maiffret, CTO of eEye Digital Security and a well-respected vulnerability researcher, shared some thoughts on the announcement. He believes that while Microsoft should be commended for taking a proactive role, he believes they are missing the larger picture. He suggests that Microsoft and other technology companies should look to solve the two larger problems of why vulnerability researchers have abandoned working with vendors. According to Maiffret, these problems are:

1.) Vulnerability research is not easy and researchers are not fairly compensated. Until this is addressed zero day vulnerabilities will continue to frequently be sold to the highest bidder.

2.) Vendors not setting timelines on when vulnerabilities will be patched is extremely frustrating to researchers. There needs to be a best practices timeline that gives vendors adequate time to provide a patch but after which researchers can publish results without being vilified.

Maiffret agrees that Microsoft’s latest initiatives will help its customers, but not as much as if they compensated researchers and set a measurable time period for producing a patch. “There is no comparison to the exponential benefit Microsoft would have on product security by bridging the gap that has been created with the research community. The community will always be stronger than any in-house Microsoft efforts at vulnerability research and that right now equates to more zeroday being found in the wild,” Maiffret said.

In comparison, Google announced a program back in November 2010 that rewards those able to demonstrate security vulnerabilities across its Web properties. The rewards range from a base reward of $500 for basic low-risk vulnerabilities, to $3,133 if the rewards panel finds a particular bug to be severe or unusually clever. It’s important to note that Google’s program says that vulnerabilities that are disclosed to any party other than Google, except for the purposes of resolving the vulnerability, typically don’t qualify.

Matt Thomlinson,  General Manager, Trustworthy Computing Security at Microsoft is encouraging others to adopt the same philosophy as Microsoft. “After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem,” Thomlinson wrote in a blog post. “By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed. We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone,” he added.

The vulnerability disclosure debate will continue to be heated, and Microsoft fully acknowledges that not everyone may agree with its philosophy on vulnerability disclosure. Katie Moussouris, a Senior Security Strategist with Microsoft wrote in a blog post: “We understand that there are differing approaches to vulnerability disclosure. Even if finders do not share our disclosure philosophy, we appreciate any information finders are willing to share with us. Our hope is that finders will give us the opportunity to address the issue comprehensively with a fully tested update before releasing technical details publicly. We hope our transparency with our disclosure process encourages more finders to work with us who may not have otherwise.”

For more information on Microsoft’s Coordinated Vulnerability Disclosure, the following resources may be of interest. I’ve also included a short video that Microsoft provided that outlines the Coordinated Disclosure Process.

Related Column: Lessons from the Trenches on Implementing a Secure Development Lifecycle

Related Column: Implementing a Secure Development Lifecycle: The Importance of Executive Support

Coordinated Vulnerability Disclosure

Coordinated Vulnerability Disclosure Reloaded (Blog Post)

Coordinated Vulnerability Disclosure: From Philosophy to Practice (Blog Post)

Coordinated Vulnerability Disclosure (CVD) at Microsoft (Word Document)

Microsoft Vulnerability Research Advisories

 

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.