Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Makes Major Shift In Disclosure Policy

Posted by timothy on from the tread-water-faster dept.

Trailrunner7 writes "Microsoft is changing the way in which it handles vulnerability disclosures, now moving to a model it calls coordinated vulnerability disclosure, in which the researcher and the vendor work together to verify a vulnerability and allow ample time for a patch. However, the new philosophy also recognizes that if there are attacks already happening, it may be necessary to release details of the flaw even before a patch is ready. The new CVD strategy relies on researchers to report vulnerabilities either directly to a vendor or to a trusted third party, such as a CERT-CC, who will then report it to the vendor. The finder and the vendor would then try to agree on a disclosure timeline and work from there." Here's Microsoft's announcement of the new strategy.

10 of 65 comments (clear)

  1. Paging Tavis Ormandy, Paging Tavis Ormandy! by eldavojohn · · Score: 5, Insightful

    In response to the second step in the Coordinated Vulnerability Disclosure ("Step 2: Hurry Up and Wait"), I've printed several copies of the CVD on quadruple ply tissue paper and stocked all the restrooms with it. I've also prepared a special four course meal for Mr. Ormandy consisting of Taco Bell, a cup of coffee, a cigarette and a spoonful of castor oil.

    Mr. Ormandy, I think you know what to do. I really found it amusing that they called the blog posting "Bringing Balance to the Force" when it looks to be completely defined by Microsoft with little or no input from the community.

    --
    My work here is dung.
  2. Following Google by SiChemist · · Score: 3, Insightful

    Looks like Google's policy announcement from July 20 rattled some MS cages.

    --
    God is imaginary
  3. motivation by Lord+Ender · · Score: 4, Insightful

    What is the researcher's motivation to spend the extra time working with Microsoft? They certainly have no obligation to do anything Microsoft asks...

    Personally, I prefer the Google and Mozilla method whereby researchers are paid a bounty of a few thousand dollars for reporting vulnerabilities in the manner the vendor prefers. Microsoft would be wise to follow the leaders rather than invent their own convoluted process.

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:motivation by Anonymous Coward · · Score: 3, Funny

      Even with $40+ billion in the bank, MS would go broke really quickly with that model...

      [/snarky]

  4. Sudden outbreak of common sense by Local+ID10T · · Score: 3, Insightful

    So they are formalizing common sense into a policy.

    It is a lot better than the previous formal policy of bat-shit crazy.

    --
    "You want to know how to help your kids? Leave them the fuck alone." -George Carlin
  5. Good luck getting Apple to agree by Anonymous Coward · · Score: 5, Informative

    Posting anonymously for obvious reasons. What happens today if one emails Apple's product security team (product-security@apple.com)? A few things. First, you get a generic pre-generated email that acknowledges that Apple received your email. Next, if you're lucky, you get an email from an analyst who has reviewed your vulnerability. What happens next? 1) No updates are provided. Ever. 2) If you ask for an update as to when the vulnerability will be fixed, you will not get a detailed response. 3) Apple waits several months. 4) Apple waits several months. 5) Apple fixes the bug, possibly. 6) You get an email from Apple asking how you want to be credited. 7) If you're lucky, Apple will send you an email with notification on when they're planning to fix the issue, along with the exact wording of the specific advisory. 8) If you're lucky, Apple will fix the advisory in the week they say they will. 9) Normally, the date will slip a few weeks. Or maybe a month. I applaud Microsoft for doing this. Hopefully Apple will follow suit and move out from the stone ages.

    1. Re:Good luck getting Apple to agree by Anonymous Coward · · Score: 3, Insightful

      I will clarify this for you.

      Apple is an insular and paranoid company. They are built upon the myth that the Mac/iPhone/iPad/iPod platform is "safe". They are selling an image: of computing platforms that are safe and secure for the end-user. Reality does not agree with Apple.

      Most responsible researchers will play Apple's game, and part of their game is sending out inaccurate and vague responses as to when they may (or may not) fix what vulnerabilities have been found. I think it's helpful for people to know how Apple really works.

  6. Apples to Oranges by Anonymous Coward · · Score: 5, Funny

    Personally, I prefer the Google and Mozilla method whereby researchers are paid a bounty of a few thousand dollars for reporting vulnerabilities in the manner the vendor prefers. Microsoft would be wise to follow the leaders rather than invent their own convoluted process.

    There's a fundamental problem with your comparisons. When a security bug is released in Firefox you see the Mozilla Foundation marvel at the cleverness of the attack. Then a distributed net of individuals quickly work together in an agile way to get the hotfix out and then sometime is spent testing and hardening that fix. When a security bug is released targeting Chrome or any of Google's products, you see Google developers that are comfortable on their campuses swing long hours and work together to push out a fix as quickly as possible. These are all sensible approaches to security bugs.

    With Microsoft, however, you see the heavy thudding of a big corporation. You see a complex inner working of management slow things down. Somebody might ask for an estimate on how much money this is going to cost and that estimate comes back a week later. Senior management starts shredding documents. Engineers start falling from helicopters in Redmond. A tornado of chairs leaves several injured. Microsoft's campus looks like the superdome following Katrina. People are chained to their desks. The reason they ask for 60 days is because that's how long it takes FEMA aid to reach Microsoft ...

    You just can't compare the two ...

  7. Re:I don't get it? by agrif · · Score: 3, Interesting

    Switching the majority OS to GNU/Linux would have one immediate and obvious benefit: the source is widely available and widely modifiable. If we find a vulnerability, it can be diagnosed and patched immediately, without having to wait for a corporation's blessing. Hell, you don't even have to wait for the kernel team's blessing, or any other governing entity. Just post the patch and tell people about it!

    It used to be clear that *nix systems were more secure, because they were actual multi-user systems. Nowadays, it's less clear. I'm certain a properly set up SELinux system is still miles more secure than Windows 7, but it's unlikely a common user will have that. However, even if there is no security advantage, I know this: Linux may not be more secure, but it is certainly easier to keep secure.

  8. OSS vs CSS vulnerability reporting by AlgorithMan · · Score: 3, Insightful

    OSS: find a bug, fix it (because you can), submit code changes

    CSS: find a bug, see a lawyer, contact a CERT, wait several weeks for a response, sign an NDA, share vulnerability informations, wait 2 months, ask for status, wait for an answer for 4 more months, realize that the vendor will do squat about the vulnerability as long as his customers don't know how threatened they are, release the infos to the public to put pressure on the vendor, be threatened by the vendors lawyers, be called a criminal by the vendors customers and the press and politics, have a house-search, wait 2 more months, get patch, realize that it doesn't fix the problem, rinse and repeat

    --
    The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes