Microsoft Makes Major Shift In Disclosure Policy

Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.

Re:I don't get it?

[agrif]

Switching the majority OS to GNU/Linux would have one immediate and obvious benefit: the source is widely available and widely modifiable. If we find a vulnerability, it can be diagnosed and patched immediately, without having to wait for a corporation's blessing. Hell, you don't even have to wait for the kernel team's blessing, or any other governing entity. Just post the patch and tell people about it!

It used to be clear that *nix systems were more secure, because they were actual multi-user systems. Nowadays, it's less clear. I'm certain a properly set up SELinux system is still miles more secure than Windows 7, but it's unlikely a common user will have that. However, even if there is no security advantage, I know this: Linux may not be more secure, but it is certainly easier to keep secure.