Microsoft Makes Major Shift In Disclosure Policy

Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.

Paging Tavis Ormandy, Paging Tavis Ormandy!

[eldavojohn]

In response to the second step in the Coordinated Vulnerability Disclosure ("Step 2: Hurry Up and Wait"), I've printed several copies of the CVD on quadruple ply tissue paper and stocked all the restrooms with it. I've also prepared a special four course meal for Mr. Ormandy consisting of Taco Bell, a cup of coffee, a cigarette and a spoonful of castor oil.

Mr. Ormandy, I think you know what to do. I really found it amusing that they called the blog posting "Bringing Balance to the Force" when it looks to be completely defined by Microsoft with little or no input from the community.

Following Google

[SiChemist]

Looks like Google's policy announcement from July 20 rattled some MS cages.

motivation

[Lord+Ender]

What is the researcher's motivation to spend the extra time working with Microsoft? They certainly have no obligation to do anything Microsoft asks...

Personally, I prefer the Google and Mozilla method whereby researchers are paid a bounty of a few thousand dollars for reporting vulnerabilities in the manner the vendor prefers. Microsoft would be wise to follow the leaders rather than invent their own convoluted process.

Sudden outbreak of common sense

[Local+ID10T]

So they are formalizing common sense into a policy.

It is a lot better than the previous formal policy of bat-shit crazy.

Re:Good luck getting Apple to agree

I will clarify this for you.

Apple is an insular and paranoid company. They are built upon the myth that the Mac/iPhone/iPad/iPod platform is "safe". They are selling an image: of computing platforms that are safe and secure for the end-user. Reality does not agree with Apple.

Most responsible researchers will play Apple's game, and part of their game is sending out inaccurate and vague responses as to when they may (or may not) fix what vulnerabilities have been found. I think it's helpful for people to know how Apple really works.

OSS vs CSS vulnerability reporting

[AlgorithMan]

OSS: find a bug, fix it (because you can), submit code changes

CSS: find a bug, see a lawyer, contact a CERT, wait several weeks for a response, sign an NDA, share vulnerability informations, wait 2 months, ask for status, wait for an answer for 4 more months, realize that the vendor will do squat about the vulnerability as long as his customers don't know how threatened they are, release the infos to the public to put pressure on the vendor, be threatened by the vendors lawyers, be called a criminal by the vendors customers and the press and politics, have a house-search, wait 2 more months, get patch, realize that it doesn't fix the problem, rinse and repeat