Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft to Introduce Faster Security Disclosures

Posted by timothy on from the mistakes-were-made dept.

Starwax writes "Here's a very interesting strategy by Microsoft. After years of complaining about irresponsible disclosure of security alerts by grey hats, Microsoft will now confirm and discuss the vulnerabilities in a new pilot project launching on Tuesday. Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation."

15 of 101 comments (clear)

  1. Business Day? by republican+gourd · · Score: 4, Interesting

    Microsoft isn't open on weekends? Is that too much to ask a multi-billion dollar company?

    Waiting until monday (especially as weekend time is usually the best to schedule downtime) strikes me as a silly idea.

    1. Re:Business Day? by 0x461FAB0BD7D2 · · Score: 4, Insightful

      Would IT technicians come back on weekends to fix their systems? If not, then making vulnerabilities public at that time only helps script kiddies.

      Waiting until Monday ensures that IT guys get a rest too.

    2. Re:Business Day? by Gabey · · Score: 3, Insightful

      Would IT technicians come back on weekends to fix their systems?

      A good IT technician would do what it takes to keep their systems secure. Coming in on a weekend isn't asking too much. Too bad good IT technicians are tough to find.

    3. Re:Business Day? by 0x461FAB0BD7D2 · · Score: 4, Insightful

      Good IT technicians do what it takes to keep their systems secure, given their resources. But expecting them to slave over their systems, testing and rolling out every new patch as soon as it's out is ludicrous.

      If coming in on a weekend isn't asking too much, where do you draw the line?

    4. Re:Business Day? by SnprBoB86 · · Score: 4, Funny

      "where do you draw the line?"

      I'm not sure where you draw the line, but I can tell you that if you would take a bullet for a server... you've crossed it, wherever it is...

      --
      http://brandonbloom.name
  2. Security Through Selective Publicity by Doc+Ruby · · Score: 3, Funny

    Microsoft will now announce that Microsoft will announce security alerts within one business day of their reporting to Microsoft. Microsoft announces that any security holes not announced by Microsoft must therefore not exist. It's the industry standard: "We have a policy that we are not being hacked."

    --

    --
    make install -not war

    1. Re:Security Through Selective Publicity by AstroDrabb · · Score: 3, Insightful
      While a lot of mods modded you up Funny, this is exactly what will happen. MS will just announce the exploits they want. Those exploits will be the ones they have a quick-fix for. MS is all about marketing. MS wants to be able to say, "See, we fixed XXX number of bugs/holes this past year and we fixed each one in 24 hours of "notification"" or less.

      MS will just overlook any 'exploit" they cant fix in a timely fashion and say that those exploits/bugs were never reported to them "correctly".

      Give me a call when MS becomes a _real_ company and just owns up to the fact that there will always be bugs in code. As a Senior Programmer for a fortune 500, I can back up that statement. Bugs/exploits happen and there is nothing anyone including MS can do about it. The best/only thing MS should do is just have a mailing list that notifies any subscriber about any reported possible bug/exploit. These notifications shouldn't have to go through a bunch of bean-counter.

      --
      If Tyranny and Oppression come to this land,
      it will be in the guise of fighting a foreign enemy. -James Madison
  3. Re:i hate to sound like a total dunce by filtur · · Score: 5, Funny
    but what is a grey hat?

    Someone who can't decided on whether to be a black hat or a white hat. Kinda like Michael Jackson

  4. Re:i hate to sound like a total dunce by YouCanCallMeAl · · Score: 4, Informative

    Gray Hat Somewhere between a "good guy" and a "bad guy" in terms of computer security.

  5. Re:i hate to sound like a total dunce by commodoresloat · · Score: 3, Funny

    It's a big cone shaped hat you have to put on before you sit in the corner.

  6. Re:i hate to sound like a total dunce by m50d · · Score: 4, Informative

    A hacker/cracker who does illegal stuff but not unethical things.

    --
    I am trolling
  7. Interesting Strategy? by lecithin · · Score: 4, Insightful

    "Advisories will be issued within one business day of a publicly reported security hole"

    If it is already public, does it matter? So, does this mean that if they know of something, they are going to wait until somebody else finds the problem and makes it public before letting their customers (and the rest of the world) know?

    I'm missing the interesting strategy on this one. Just sounds like they want us to think that they are being proactive. I dunno. Perhaps I am the only one that thinks that Microsoft is evil.

    --
    It could be worse, it could be Monday.
  8. There is still a problem ... by El+Cubano · · Score: 3, Interesting

    Advisories will be issued within one business day of a publicly reported security hole along with guidance and mitigation.

    So, Microsoft only will do something if inaction stands to bring them negative attention. What I would like to see from Microsoft (and other commercial and/or closed source vendors) is a commitment to treat the security holes their own developers discover in the same way.

    I just don't think it is right to withhold the information, espcially if admins can use it so secure their sites, until the threat of public disclosure by a third party is imminent or past.

  9. My favorite line by portwojc · · Score: 5, Insightful

    when researchers jump the gun and release vulnerability details before a patch is available.

    Jump the gun? Oh that's right telling Microsoft there's a security flaw and waiting months before going public is jumping the gun after all.

    Gotta love these articles. Nice spin make the researchers look like the bad guys...

    At least now we'll get to hear about flaws quicker and that they don't have a patch or a work around.

  10. microsoft sucking less by poor_boi · · Score: 4, Funny

    Does anyone else get a sinking feeling in their tummy every time Microsoft does something right, something better, or something intelligent? I like hating them. If I can't hate them, I'll have to hate something else. And I haven't been paying much attention to worthy targets over the past few years. I'm afraid I might have to turn my hate inwards if they improving. And that can't be good.