Microsoft has announced a new initiative around vulnerability reporting in order to align efforts between researchers and vendors.
Stating that the term ‘responsible disclosure' was too subjective, it has now labelled the practice ‘coordinated vulnerability disclosure'. Matt Thomlinson, general manager of security at Microsoft's Trustworthy Computing group, wrote in a blog post that he believed that the community mindset needs to shift.
He said: “Framing a key point — that coordination and collaboration are required to resolve issues in a way that minimises risk and disruption for customers. Responsibility is still imperative, but it is a shared responsibility across the community of security researchers, security product providers and other software vendors.”
Microsoft has suggested that newly discovered flaws should be reported privately to the affected vendor. Alternatively, researchers can take their discoveries to coordinators such as CERT/CC or to a private service that offers payment for submissions, such as TippingPoint's Zero Day Initiative or VeriSign's iDefense. These entities would privately notify the impacted vendor.
The submitter then should allow the vendor time to confirm the bug and offer corrective actions, such as patches or workarounds.
“If attacks are underway in the wild, earlier public vulnerability details disclosure can occur with both the finder and the vendor working together as closely as possible to provide consistent messaging and guidance to customers to protect themselves," Thomlinson said.
Chris Wysopal, CTO of application security provider Veracode, told SC Magazine US that all too often it is vendors calling the shots. Wysopal, who joined more than a dozen other industry experts in consulting with Microsoft on the announcement, said: “I think the biggest issue that finders or researchers have is the timeline. I could tell you that most researchers are frustrated with vendors for taking what seems to be too long a time.
“I think that goes to show you that vendors can develop and come up with fixes faster. The only way that can happen is if customers put pressure on the vendors.”
Microsoft has said that the main priority is preventing researchers from publicly publishing details about a security issue prior to customers being offered protection, and as part of the new initiative it is not offering a maximum deadline for patches to be issued.
“As Microsoft shifts its philosophy to this new approach, we are asking the broader security community to embrace the purpose of this shift, which is ultimately about minimising customer risk — not amplifying it. This distinction is critical,” said Thomlinson.