Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Introduce Faster Security Disclosures

Posted by timothy on from the mistakes-were-made dept.

Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."

6 of 101 comments (clear)

  1. Re:Business Day? by 0x461FAB0BD7D2 · · Score: 4, Insightful

    Would IT technicians come back on weekends to fix their systems? If not, then making vulnerabilities public at that time only helps script kiddies.

    Waiting until Monday ensures that IT guys get a rest too.

  2. Interesting Strategy? by lecithin · · Score: 4, Insightful

    "Advisories will be issued within one business day of a publicly reported security hole"

    If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?

    I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.

    --
    It could be worse, it could be Monday.
  3. My favorite line by portwojc · · Score: 5, Insightful

    when researchers jump the gun and release vulnerability details before a patch is available.

    Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.

    Gotta love these articles. Nice spin make the researchers look like the bad guys...

    At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.

  4. Re:Business Day? by Gabey · · Score: 3, Insightful

    Would IT technicians come back on weekends to fix their systems?

    A good IT technician would do what it takes to keep their systems secure. Coming in on a weekend isn't asking too much. Too bad good IT technicians are tough to find.

  5. Re:Security Through Selective Publicity by AstroDrabb · · Score: 3, Insightful
    While a lot of mods modded you up Funny, this is exactly what will happen. MS will just announce the exploits they want. Those exploits will be the ones they have a quick-fix for. MS is all about marketing. MS wants to be able to say, "See, we fixed XXX number of bugs/holes this past year and we fixed each one in 24 hours of "notification"" or less.

    MS will just overlook any 'exploit" they cant fix in a timely fashion and say that those exploits/bugs were never reported to them "correctly".

    Give me a call when MS becomes a _real_ company and just owns up to the fact that there will always be bugs in code. As a Senior Programmer for a fortune 500, I can back up that statement. Bugs/exploits happen and there is nothing anyone including MS can do about it. The best/only thing MS should do is just have a mailing list that notifies any subscriber about any reported possible bug/exploit. These notifications shouldn't have to go through a bunch of bean-counter.

    --
    If Tyranny and Oppression come to this land,
    it will be in the guise of fighting a foreign enemy. -James Madison
  6. Re:Business Day? by 0x461FAB0BD7D2 · · Score: 4, Insightful

    Good IT technicians do what it takes to keep their systems secure, given their resources. But expecting them to slave over their systems, testing and rolling out every new patch as soon as it's out is ludicrous.

    If coming in on a weekend isn't asking too much, where do you draw the line?