Microsoft Makes Major Shift In Disclosure Policy

Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.

I don't get it?

[Charliemopps]

Why would anyone report a vulnerability to Microsoft? Unless they start paying for the info, I say post it online the second you find it and to hell with Microsoft.

Re:I don't get it?

first off the majority of people wouldn't be able to immediately diagnose and patch because they have no idea how to do that. second because linux is open source you would be less secure because it is easier to find flaws and backdoors in a system that you can view its source code. and since linux uses a general public License if they request to see your source you have to give it to them because it requires that derivative works also fall under GNU's general public license. the only way to truly secure yourself is to disconnect.

Please define "ample time"

[RobertM1968]

I am very curious how Microsoft defines "ample time" especially considering some of their vulnerabilities (like the one recently "patched" in the DOS subsystem) have existed for years or decades.

This isn't a slam at Microsoft, it's a hope that someone has some clarification that can be used as a context to determine if this statement means anything. Even when the terms of their statements are less ambiguous, they seem to find ways of backpedalling - thus greater clarity on something so very ambiguous is warranted (even if it turns out to be pointless in the long run per whatever practices they actually employ).

Oh wait, the summary is not correct (of course) - but the reality of the statement is worse:

Microsoft:

CVD's core principles are simple: vendors and finders need to work closely toward a resolution; extensive efforts should be made to make a timely response; and only in the event of active attacks is public disclosure, focused on mitigations and workarounds, likely the best course of action -- and even then it should be coordinated as closely as possible.

Inotherwords, this statement really says "You should never tell anyone but us, unless active attacks are taking place - but even then, you should coordinate such with us" (at which point, they will probably say "dont tell anyone" as has been the current and previous cases.

Also, who are they to dictate how (and to who) researchers disclose such information? Is there some legal basis for this, or is (will) it be under the threat of using their financial muscle and influence to try to get the person charged with some sort of online security or terrorist crime? Yes... for those who don't know, the Patriot Act does indeed cover such things.

Additionally, the spin group at Microsoft said this, which is misleading in the grand context of this problem:

Microsoft:
However, we fundamentally believe (and our experience over the last 10 years has shown) that once vulnerability details are released publicly, the probability of exploitation rises significantly. Without coordination in place to provide a security update or tested workarounds, risk to customers is greatly amplified.

The truth is, once a vulnerability is released to the public and exploited, Microsoft is somewhat forced to fix it in a more timely fashion - as opposed to ignoring it for years (the numerous .NET exploits that still aren't fully patched) or decades (the DOS exploit recently patched).

This is really a non-news item as this is business as usual, carefully worded to seem like Microsoft is changing their stance on things (while the reality is, they are not).