Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Admits to Hiding Flaw Details

Posted by ryuzaki0 on from the on-a-need-to-know-basis dept.

Spongeform writes "eWeek has an interview with a Microsoft security official admitting to hiding details on software vulnerabilities that are discovered internally. The reason? Microsoft believes that full disclosure of every security-related product change only serves to aid attackers. However, companies using host-based IPS that rely on flaw information to build signatures are basically left at risk because of Microsoft's silent fixes."

1 of 147 comments (clear)

  1. Re:scandal! by perp · · Score: 2, Informative
    Doesn't SLASH have a similar policy?

    Au contraire. The RFPolicy gives the vendor five working days to respond to a communication from the discoverer of a vulnerability, after which the discoverer can go public at any time. The discoverer and vendor are encouraged to work together to make a joint statement of the vulnerability once there is a fix.

    --
    There are two kinds of sysadmins: paranoids and losers. I'm both kinds.