Microsoft's Coordinated Vulnerability Disclosure policy
Introduction
Microsoft believes that the process of vulnerability disclosure is a shared responsibility best practiced in strong coordination between finders, vendors, and protection providers working together to protect customers, businesses, and critical infrastructure.
The quote above is from Microsoft's recently published new policy for "Coordinated Vulnerability Disclosure".
The many problems associated with vulnerability disclosures have been discussed in our security articles several times during the years. Today, we shall examine Microsoft's revisions of its policy.
A little background information
The dilemmas involved in vulnerability disclosures have been discussed several times in our security articles - most thoroughly here:
- Disclose information about vulnerabilities? Yes/No/When? (2010)
- The dilemmas of publishing information about vulnerabilities in software (2002)
Those who advocate full disclosure of vulnerabilities and those who want the software vendors to have ”appropriate” time to offer a remedy represent the different points of view in this ongoing discussion. The arguments on both sides are detailed in the articles above.
In the article from June last year we state that the crucial point to evaluate is which should be the basis for any decision regarding how/when/how to disclose any vulnerability, is:
to minimize the risk for users to be exposed for malware.
Our statement focuses on users, while the quote from Microsoft mentions customers, businesses, and critical infrastructure in the quote.
News in Microsoft's strategy
Microsoft's revised strategy is discussed in a blog item from Microsoft Security Response Center 19 April: Coordinated Vulnerability Disclosure: From Philosophy to Practice, which links to a word document with more details: Coordinated Vulnerability Disclosure at Microsoft.
Not surprisingly, Microsoft advocates a "responsible disclosure" policy.
Under the principle of Coordinated Vulnerability Disclosure, finders disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product, to a national CERT or other coordinator who will report to the vendor privately, or to a private service that will likewise report to the vendor privately. The finder allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the finder throughout the vulnerability investigation and provides the finder with updates on case progress. Upon release of an update, the vendor may recognize the finder in bulletins or advisories for finding and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the finder and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to protect themselves.
The policy defines three different roles for Microsoft:
- As a finder of vulnerabilities
- As a vulnerability coordinator (relevant for vulnerabilities that affect several program vendors)
- As an affected vendor
One new outcome from this is that Microsoft will disclose vulnerabilities in third-party products as Microsoft Vulnerability Research (MSVR) Advisories. This will (normally) be published either at the same time or after the vendor releases its advisory. Microsoft Security Response Center has more information on Microsoft's Coordinated Vulnerability Disclosure.
As of this writing, Microsoft has published two advisories for third-party products (the web browsers Chrome and Opera). The advisories are published in Microsoft Vulnerability Research (MSVR) Advisories Archive.
Summing up
The resources from Microsoft referred to above are recommended reading to understand the process involved in finding, reporting, fixing and informing about a vulnerability.
As one of the largest companies in the software industry, Microsoft's policy will influence the way vulnerabilities are handled, and it is useful to be informed about this policy.
